Everyone knows all the apps on your phone

Posted by gniting 3/29/2025

Everyone knows all the apps on your phone(peabee.substack.com)

1195 points | 482 commentspage 2

hnburnsy 3/30/2025|

>For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.

'Extreme' my a*. My bank app has this permission, as well as my camera app, contacts app, clock app, Google Home, and on and on. My bank app was moved to an old iPad because of this.

silenced_trope 3/30/2025|

yea I used to work for an advertising network and every game that implemented the Android SDK ended up with this permission, it was a way that we used to not show ads for games that the user already had on their phone

weinzierl 3/30/2025||

"the one that blue tick twitter accounts living in certain pin codes of Bengaluru passionately discuss amongst themselves for a week every year"

To someone embarrassingly unfamiliar with Indian culture, what does it mean?

thatloststudent 3/30/2025||

I want to expand on this more as someone more familiar with Bangalore/Bengaluru.

Almost like clockwork, Blume Ventures releases a report every year about the state of the Indian startup ecosystem that year, and since Bengaluru startups are almost all concentrated around Koramangala or HSR layout (these are places inside Bengaluru with their own PIN/address codes), you'll find a lot of people talking about that online.

gopkarthik 3/30/2025|||

^ This.

You can read the reports at https://blume.vc/reports/indus-valley-annual-report-2025 or archives at https://www.indusvalleyreport.com/ .

The ppt in the blog is from the 2024 report - https://docsend.com/view/zqgfupfzyud499hn. The India 1-2-3 framework is old though. IIRC it was coined by a retail sector founder (Kishore Biyani) in the 2000s.

Also Koramangala, HSR layout are also the more affluent localities in Bengaluru.

weinzierl 3/30/2025||||

Thanks a lot. That makes total sense!

pavel_lishin 3/30/2025|||

Would it be analogous to Silicon Valley in America?

xolve 3/30/2025|||

Bengaluru/Bangalore has hotspots (PIN codes are postal address codes) where there are lots of startups, mostly in ecommerce, ad-tech, online education etc. and they have incentive to upsell you a lot.

I guess its referring to someone wannabe influencer buying Twitter(X) premium and posting based on half baked info on customers.

Mostly sarcasm, so take with a grain of salt. I can't tell about accuracy, but explaining the cultural context here.

weinzierl 3/30/2025||

Thanks, this is helpful. Is the certain week referring to a specific festival?

evertedsphere 3/30/2025|||

presumably the report comes out every year and it's discussed for some time after that

xolve 3/30/2025|||

I don't know, sounds like any week.

moi2388 3/30/2025||

The PowerPoint he talks about and is displayed the line below it

weinzierl 3/30/2025||

I know but that does not clarify the connection between blue tick, certain pin codes and a certain week in the slightest.

Sure, these are probably all hints to affluent members of society but I was hoping for a more detailed explanation.

banqjls 3/30/2025||

Blue tick/check = verified Twitter accounts, from when Twitter staff chose who to give the blue tick and only gave it to journalists, technologists, etc that the twitter staff wanted to amplify. Nowadays a blue check simply means you purchased premium, but we remember the original meaning. This is not an Indian thing.

PIN codes = postal codes.

weinzierl 3/30/2025||

Yes, the interesting question is which PIN codes is the author hinting at and which week of the year and why. This is what I want to know. I think I can figure out the rest myself.

But while we are at it: What is the significance of a cow trading app. Is it used by people who treat cows as sacred or the opposite?

Slitted 3/30/2025||

I’m sorry but I have to bring this up: are these comments bait? The questions are a little too naive yet purposeful.

weinzierl 3/31/2025||

No, I was just in a different frame, seeking cultural significance while missing the obvious.

I expected something more along the lines of:

There is this cultural group some people refer to as WASPs, but they usually would not self-apply that designation. They are not a formal organization but more a fixed social group into which an individual is born within a particular system of social stratification.

Their cultural lives (and to a large degree their business processes) are organized along an annual cycle starting shortly after the northern winter solstice, even though they claim this is the date of birth of their religious leader. During that time and before a new cycle starts, their businesses practically come to a standstill for a week of celebrations.

A certain subgroup of them has become highly influential in the tech industry. Their most prominent leaders and their companies often gather in and around the zip codes 94024, 94040, 94301, 95014, 95030 in an area called "Silicon Valley."

surmoi 3/30/2025||

Exodus Privacy will let you know about this kind of Android apps you should avoid installing https://exodus-privacy.eu.org/

Swiggy is actually a small player in terms of permissions requested, with 'only' 47 Compare it to Weibo with 104, Wechat with 93, Facebook with 85, Snapchat with 71 (granted those apps may offer additional services that require some additional permissions, but they are definitely not worth giving them all your data...)

turrini 3/30/2025||

I don't know if it is just me but I run every class of app in isolated "islands" (like work profiles) on Android. Browsers, banking apps, social media, instant messaging, tools, etc. Almost everything is isolated from another non related group.

olejorgenb 3/30/2025|

How?

einszwei 3/29/2025||

Just wow. I assumed that Google patched this few years back but guess they left a few backdoors.

gruez 3/29/2025||

It's probably an oversight than a "backdoor". They already have a "frontdoor" in the form of a permission that's pre-granted to them by the OS, so there's little need for them to devise backdoors like the android.intent.action.MAIN query that the blog post mentions.

iamnotarobotman 3/30/2025|||

I just don't trust Google anymore. They are not the same as they were years ago and have just declined in general.

Play Store Review and everything takes weeks sometimes and I can't tolerate that.

dhosek 3/29/2025||

I would pretty much assume that any Android phone is a massive privacy leak and security risk. I’d hope that an iPhone is better, but I’d be wrong.

solardev 3/30/2025||

Privacy issues aside, it's kinda cool reading about how Indians use their phones, and also how they use English. I'd never heard "beyond the pale" before, and I'm still not sure what the idea of "multiple Indias" means when some of them are Mexico and some are Africa...?

I've also never heard of the majority of the apps being analyzed or tracked. Must be such a different world out there.

milesrout 3/30/2025||

Beyond the pale is commonly used in English. A pale is a stake, and it means beyond the boundary (set out by a fence with stakes, hence the phrase) of what is acceptable. It gaines popularity in the mid 19th century. It may be related to the term "the Pale" which referred to the better controlled more Anglicised part of Ireland around Dublin, but there isn't enough evidence to be sure of this. Certainly not an Indianism anyway.

>I'm still not sure what the idea of "multiple Indias" means when some of them are Mexico and some are Africa...?

Is it not pretty obvious? It is like the phrase "middle America". It doesn't literally mean a different country. It means different wealth categories: the Indians that when considered as a whole are economically equivalent roughly to Mexico, those roughly equivalent to Indonesia (poorer) and those roughly equivalent to Sub-Saharan Africa (poorest). There are ~1b Indians that are still so poor they aren't realistically in the market for your startup app if it wants its customers to ever spend anything, there are ~300m Indians that could be in the market for some apps, but probably mostly free ad-funded ones, and there are ~150m Indians that are quite a good market because they will happily spend money on something that provides value.

I got all this just from reading the post btw.

solardev 3/30/2025|||

Makes sense, thanks! I love reading about how other cultures do software.

rashidujang 3/30/2025|||

From the context, what I gather was meant by the idea of "multiple Indias" was the socioeconomic status of different demographics in India and their app usage. The presence of specific apps gives a tell to which demographic they belong to.

In other words, the richest demographic used certain apps and was equated to folks in Mexico, followed by the less rich equated to folks in Indonesia and the poor to Sub-Saharan Africa.

Explore4526 3/31/2025|||

It's the average cooldude marketing of self-proclaimed "India 1", denigrating their own people and can't think outside of labeling others as something else.

These people are extremely snobbish in person when you go past their sweet talks, who don't understand much about people. I hated the "real" interactions and went back to being an IC in big tech.

Part of it is because they don't understand them, part of it is because they "understand" via someone else who told them stuff (like a redditor assuming everything on r/india is true), part of it is their own contempt of culture due to previous reasons ("ah these people are beyond any repair!"). Basically, ignorance in elites.

nsonha 3/31/2025||

In some former colonies, the dialect can be a snapshot of the language back in colonial time. Happens to names as well as expressions.

I learned this watching a stand-up routine by Malaysian comic Nigel Ng. He was explaining his first name.

photonthug 3/30/2025||

> It's worth acknowledging that there are some legitimate reasons for an app to check which other apps are installed on your phone. For example, an app might check which UPI apps are installed to show relevant payment options.

Nope! Nope, nope, nope. If you're wondering how we got into this situation.. well, it's exactly stuff like this. Weird to see someone who's digging into it at all also making excuses for it.

No one ever said "I want to avoid a single extra click once every other month, so I guess I better irrevocably open my data/phone/life up completely to megacorp forever". And they certainly did not say this about tinycorp. People just absolutely suck at adversarial thinking, and good guys need to do it for them before bad guys can. Do you want organized crime blackmailing your politicians about dating apps and infidelity? Do you want to make it easy to do large scale targeting of ${vulnerable_people} the next time the cultural or political climate shifts?

Come on. Anyway shouldn't the phone OS itself handle this rather than apps launching apps?? If not.. just let people pick a payment option, and then throw an error if the option is not available.

qwe----3 3/30/2025||

> "I want to avoid a single extra click once every other month, so I guess I better irrevocably open my data/phone/life up completely to megacorp forever"

Nah, it's super annoying when I click on a link and don't get redirected to the native app. This happens way more then once a month. Web experiences are much worse for many things.

photonthug 3/30/2025|||

Cool but the attitude of “bring on the dystopian future as long as it’s more convenient for some people some of the time” is still confusing to me. Do you imagine that leaked information like this has never gotten someone killed before, and never will in the future?

hollow-moe 3/30/2025|||

Good, because this is what Intents are for. No app needs to know all your installed apps to launch them with a link.

Explore4526 3/31/2025||

Yes, the phone can handle the UPI intent.

What actually needs to be done is to remove the "default" feature and ask every-time.

For finer control (get ₹X off on using Y app), apps can make their own intent.

djrj477dhsnv 3/30/2025||

Anyone know if GrapheneOS has protection against this?

switch007 3/30/2025||

It doesn't afaik. Only indirectly through multiple profiles

I was kind of surprised

https://discuss.grapheneos.org/d/13302-query-all-packages-pe...

https://discuss.grapheneos.org/d/7800-how-to-mitigate-identi...

Later

For the wider audience: though don't take this as GrapheneOS doesn't care about privacy. I'm sure there are reasons (I didn't read all of the linked threads) and it gives you plenty of other protections and tools - eg profiles, ability to disable all network access by app etc

fph 3/30/2025||

A rationale from the core developer [1]:

> I'm sure there are plenty of system APIs providing this information too, and I don't just mean APIs designed to directly provide the information.

> It's not useful to prevent directly getting a list of installed applications without preventing detecting which applications are installed, so this specific feature request has to be rejected. It would have to be part of a larger, much more comprehensive feature preventing apps from finding other apps. That implies outright preventing communication with non-system components which is a much different approach to applications and rules out a lot of things. [...]

> The request should be for preventing apps from discovering which apps are installed, since anything less than that has no privacy / security value. There's no point in disallowing access to a list while not preventing discovering which apps are installed anyway.

The open issue to restrict app visibility is [2].

[1] https://github.com/GrapheneOS/os-issue-tracker/ issues/149#issuecomment-553590002 [2] https://github.com/GrapheneOS/os-issue-tracker/issues/2197

djrj477dhsnv 3/30/2025||

I get what he's saying, but still seems like blocking the easy way of getting a list of apps, while certainty not perfect, would prevent most privacy abuse.

aucisson_masque 3/30/2025|||

Yes.

Privacy is not an on off switch, it's about making things leak data less.

I really don't understand grapheneos development sometimes, like when they refuse to make a setting to invert the back and recent button. Yes it's not part of AOSP but it's so simple to do and a feature that all manufacter offer because people want it, refusing to do that is weird imo.

fph 4/2/2025|||

Would it? My understanding is that most fingerprinting is done by a few large companies, in their own proprietary libraries that are shipped with third-party apps. If you block this method, they will quickly find another one and ship it everywhere, because that is their core business.

With browser fingerprinting, the ad companies are already regularly pulling many shenanigans; I don't see a reason why this would be different.

subscribed 3/30/2025||

Not yet but it's on the road map. https://github.com/GrapheneOS/os-issue-tracker/issues/2197

rkagerer 3/29/2025||

Can you see in the Play store before installing an app exactly which other apps it's allowed to talk to? Can you see it on your phone and override?

gruez 3/29/2025|

No, not in any straightforward way, although you can theoretically:

1. download the APK from a mirror site

2. disassemble it to get the android manifest

3. inspect the android manifest to check for the things the blog post discusses

therealmarv 3/30/2025|

It's a known fact in the rooting community because some banking apps searching for root only apps!

If you root (I advice against doing that) and have LSPosed installed you can hide apps to be seen by every other app with Hide My Applist (HMA) [1] or HMAL (which I like more because it is more minimalistic) [2]

[1] https://github.com/Dr-TSNG/Hide-My-Applist

[2] https://github.com/pumPCin/HMAL

More comments...