Privacy analysis of websites knowing what apps are installed - getInstalledRelatedApps

There’s a trend of bringing web apps closer to smartphone native apps. You can see it in the increasingly popular Progressive Web Applications (PWAs), web applications that can be installed locally to a smartphone, to subsequently be available to the user just like any other native apps, for example just like any other smartphone app (and in some respects perhaps may bypass some State-sanctioned censorship).

The web ecosystem is currently shifting to equipping PWAs with great superpowers. For example, the ability to use some powerful smartphone features without the need to ask the users for permission. Some of these changes are incremental.

When a user visits a website, can this site learn that the user has the corresponding “app” installed? Currently not. But this may change once the Get Installed Related Apps API is broadly deployed. It is already enabled in Chrome 80 (Android).

The method getInstalledRelatedApps only works for websites and apps that subscribed to be a scheme (i.e. created associations between website and apps). Websites are unable to query for arbitrary apps. This security and privacy design feature was considered from the start, which is great. Should we be satisfied, or are there other things we should think/worry about?

Privacy footing

In the real world new web features often end up being abused. These are facts. We should consider the risks diligently. For example, some concerns exist over the risk of creating conglomerates of websites and apps determined to track the users. This would simply include abusive websites and app makers joining forces to track the user and configure their apps to point to a specific website. Such websites would then be able to use the fact of the app being installed/uninstalled as a signal. Like a fingerprint. This may be a more complex problem than just privacy (but is seen as harmful by Firefox). It may also include anti-competition and consumer protection issues.

In general, application providers controlling many popular apps could have ways to abuse their powers.

Special consideration privacy footprint

This feature is not intended to work in private browsing (“incognito”) browsing modes. The returned lists of installed websites will then be empty. While understandable, this design decision may backfire in a counter-intuitive way (finding which I find most interesting).

This API may allow the detection  of those users using browser privacy/incognito mode in case of certain websites and certain apps. It’s well known that some apps are very broadly installed on Android. Some apps are very popular or even come preinstalled, for example on Android. So imagine a hypothetical app “Maps” which is fairly common and may be expected to be installed. Hypothetically, if such a user visits, for example, a website of maps.google.com in incognito mode, this website would be unable to detect that the application is installed in the user’s system. But since “Maps” are broadly installed, the website could have a nearly 100% certainty that the incoming Android visitor in fact has the application installed. So it could deduce that the user is browsing the web in private browsing mode. Now imagine this concern extrapolated to more of such more-or-less popular apps and websites.

Fingerprinting & profiling

Other than the above concerns, there’s some risk of fingerprinting in general - the websites would be able to discover that the user has an app installed. It’s fortunate that this is opt-in (user needs to install the app; except in the scenario of a coalition intended to abuse the feature, or when the app is preinstalled). But this leads also to profiling concerns. Websites with the ability to detect that an app is installed locally can reason about the user’s preferences. These two risks may be fairly limited if the API was made to limit the number of queries that  websites could execute.

Summary

Having a strong and living Web is unconditionally good. But technology design encompasses many issues today: privacy, anti-competition, or even consumer protection aspects. While some risks are a niche at first sight,  upon further thinking they may become a bit more tangible. This is both a development, design as well as a business issue. Because security and privacy must be considered on all  levels.

Did you like the assessment and analysis? Any questions, comments, complaints or maybe even offers? Feel free to reach out: me@lukaszolejnik.com