Google Chrome development faced criticism because of new API – getInstalledRelatedApps. According to experts, it could seriously affect the privacy of user data.
The getInstalledRelatedApps API has been under development since 2015. Chrome 59 introduced it as an experiment. The API allows developers to determine if their app is installed on the user’s device and, for example, avoid displaying one notification twice.
Experts, however, point out that getInstalledRelatedApps is designed more in the interests of developers, and when used incorrectly, it poses a threat to user data security and privacy. If a resource owner can use getInstalledRelatedApps to figure out what apps are installed on a device, they can use that information for their own purposes. An even greater threat is that attackers could generate targeted phishing emails or hack the device through app vulnerabilities if they receive this information.
Daniel Bratell, a developer of the Opera browser, wondered if the API was that necessary: “The mobile web already suffers from hard attempts to force Web users to replace their use of sites with apps, and this looks like an attempt to redirect them from the opennet to closed ecosystems.”
Ryan Canso, Google’s specs editor and engineer, confirmed that the API is being developed more for companies, “While it’s not the kind of API that will directly benefit users, they will indirectly benefit from using it because of the improved web interface.”
Google engineer Yoav Weiss later entered the discussion to express concern about the privacy implications of the API: “Knowing that certain apps have been installed could contain valuable and potentially sensitive information about the user: income level, relationship status, sexual orientation, etc.”
Peter Snyder, privacy researcher at browser maker Brave, expressed concern that getInstalledRelatedApps could be used to fingerprint users. “If I represent a company with a lot of apps (like Google), with 16-32 apps registered in the stores, a subset of apps installed by any user would probably be a very strong semi-identifier, which carries a risk for device fingerprinting, wouldn’t it?”
Kanso responded that the specification includes mechanisms to prevent abuse — for example, apps and Web sites must declare associations with each other, so a third-party Web site can’t query another company’s apps on a device for the purpose of analyzing or fingerprinting the device.
However, publishers are making efforts to loosen the restrictions. An engineer at PayPal said the payment processor wants to be able to launch its own app with a Web payment button that’s in an iframe. Matt Juka, a Google engineer, responding to the suggestion, said, “It’s a little scary to extend the API from ‘any site you visit to see if it has an embedded app’ to ‘any site embedded in a site you visit to see if it has an embedded app. Weiss, for his part, warned that providing access to third-party frames can lead to abuse: “For example, many apps can be associated with adprovider.example (for a fee), which will give 3P frames AdProvider access to a lot of personal information about the user (such as what devices they purchased and installed the app for), as well as fingerprint data.”
google
android
security