Until a few years ago, any app you installed on an Android device could see all other apps on your phone without your permission.
Since 2022, with Android 11, Google removed this access from app developers. Under their new package visibility policy, apps should only see other installed apps if it’s essential to their core functionality. Developers must also explicitly declare these apps in the AndroidManifest.xml file - a required configuration file for all Android apps.
For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.
I don’t use Android as my primary phone, but I have a spare one and I was really curious to find out which apps from Indian companies had checks to see what other apps I had installed.
So I downloaded a few dozen Indian apps I could think of on top of my head and started reading their manifest files. Surely they will be respectful of my privacy and will only query apps essential to their app's core functionality? 🙃
It's worth acknowledging that there are some legitimate reasons for an app to check which other apps are installed on your phone. For example, an app might check which UPI apps are installed to show relevant payment options. Most of the manifest files I examined included checks for these apps. Some also looked for app cloning or multi-account apps, likely for security and fraud detection. All acceptable use cases.
But a few Indian companies went above and beyond with these checks. Let’s start with Swiggy. It has a staggering 154 package names listed in its manifest file, allowing it to query those apps on my phone. Here’s the full list:
I don’t even know where to begin unpacking this madness. How is knowing whether I have the Xbox or the Playstation app installed on my phone essential to their Swiggy's core functionality? How will knowing if I have the Naukri or Upstox app help them deliver groceries to my doorstep?
The wide range of categories of apps in this list strongly suggests Swiggy is collecting installed apps data for user profiling and to build a behavioural profile of their customers. This seems to be against Play Store's policies which considers the list of installed apps to be personal and sensitive user data.
This reminded me of that ppt from Blume Ventures - the one that blue tick twitter accounts living in certain pin codes of Bengaluru passionately discuss amongst themselves for a week every year. It had this interesting slide on apps used by different Indias:
Swiggy queries most of these apps and more on your phone. It not only knows which India you belong to, but it can pinpoint exactly where you fall within it.
Let's talk about another app now, and it's the usual suspect, the undisputed champion of asshole design - Zepto. They have listed 165 apps to check for on your device.
From Netflix to Bumble to Binance, the list includes nearly every popular app across all categories. There were recent reports of Zepto displaying different prices for iOS and Android users. With the help of this data, they can also show different pricing for different Android phones, which some customers are already seeing.
Even though Swiggy and Zepto have to declare these apps to query in the manifest file, as a user, you have no visibility into this list when you download their apps from the Play Store.
I also analyzed Swiggy and Zepto's apps for their delivery riders. The app query list is different from their consumer apps. Both include checks to see which other companies their riders work for. Here’s Zepto's list:
But Swiggy takes it a step further - it also checks for personal loan apps, personal finance apps, and even keeps tabs on apps like like Ludo King or Carrom Pool on their delivery riders' phones.
Can't we even play Ludo in peace without being spied on by our employers? Does even downtime need to be tracked by Swiggy? It’s embarrassing that Swiggy feels the need to include these ridiculous app queries on their delivery riders' phones.
Speaking of personal loan apps in India, their predatory practices are well documented. A couple of years ago, there was a major crackdown that led to the removal of thousands of such apps from the Play Store. I took a look at some that still exist.
Kreditbee is listed as one of the top apps in the personal loans space on the play store with over 50 million downloads. And can you believe their app checks for 860 apps installed on your phone? 860!!! I am sorry you may have to squint or zoom in a little to view this list.
I only skimmed through this list - there are just too many apps. I hope someone reading this can do a thorough analysis. It's probably because of the bubble I live in, but I hadn’t even heard of most of these apps. Even though most of them have tens of millions of downloads.
Beyond the usual categories, I see there are checks for apps like Tamil Calendar, Odia Calendar, Qibla Direction Finder, mandir apps, astrology apps. They know what they’re doing.
There is "Jodii for Diploma, +2,10 below", a matrimony app for those who haven’t graduated high school. It has 10M+ downloads.
Then there is also "गाय भैंस खरीदें बेचें Animall" (cow buy/sell marketplace?) which also has more than 10M downloads.
This list of apps is a window into how a large part of India uses their phones - their daily lives, habits, and priorities.
Another leading personal loan app, Moneyview, with over 50 million downloads, has included checks for a staggering 944 apps in its manifest file - the highest among all the apps I examined. I am not including it in this post, you can read the full list here.
I'm surprised KreditBee and Moneyview apps passed the Play Store's review. Play Store policy explicitly restricts personal loan apps from using the QUERY_ALL_PACKAGES permission. But these apps are bypassing this restriction by individually listing every app they want to detect in their manifest file instead.
I found only one manifest file which had the high-risk and sensitive QUERY_ALL_PACKAGES permission - it was Cred’s. Play Store grants a "temporary exception" to include this permission if apps have “a verifiable core purpose facilitating financial-transactions involving financially regulated instruments”.
But none of the other apps in the same segment as Cred I analyzed like PhonePe or PayTM had this permission in their manifest files. In fact, Cred offers personal loans too which as per Play Store’s Personal loans policy, is not eligible for this exception. Not sure how Cred is still allowed to keep this permission, which lets it see all the apps on your phone without any disclosures.
I read the manifest files of around 50 popular apps from Indian companies. Apart from Swiggy, Zepto, Cred, and a couple of personal loan apps, most had fairly reasonable and respectful app query lists.
Guess I expected worse. Maybe I am too cynical about these apps - could they actually be the good guys? 🙃
As I was about to conclude this exercise, I noticed a couple of interesting lines when I was skimming through the manifest file of one of the apps:
<queries>
[...]
<intent>
<action android:name="android.intent.action.MAIN" />
</intent>
[...]
</queries>
I am no expert in Android development, but from what I understand, the "ACTION_MAIN" filter in the configuration above allows visibility to all installed apps that, simply put, have a screen.
Since most installed apps run in the foreground and have a user interface, this filter grants developers access to see all the apps on your phone - without needing the QUERY_ALL_PACKAGES permission!
To be sure, I vibe co -- I can't say it without wincing -- I vibe coded a basic android app and added the same "ACTION_MAIN" filter in my manifest file. And when I queried for installed packages, just as expected, this little hack returned a list of all the apps on my phone!!!
This seems like a massive privacy loophole in Android. Surely Play Store would reject apps that use this hack as this is a blatant violation of their store's user data policy?
Out of 47 Indian apps I randomly analyzed, 31 of them used the "ACTION_MAIN" filter - giving them access to see all the apps on your phone without any disclosure. That's 2 out of 3 apps.
Apps using this hack:
Astrotalk, Axis Mobile, Bajaj Finserv, BookMyShow, Cars24, Cure.fit, Fibe, Groww, Housing, Instamart, Ixigo, JioHotstar, KreditBee, KukuTV, LazyPay, Ludo King, Meesho, MoneyTap, Moneyview, Navi, NoBroker, Nykaa, Ola, PhonePe, PhysicsWallah, Slice, Spinny, Swiggy, Swiggy Delivery, Tata Neu, and Zomato.
Apps that don't use this hack:
Airtel Thanks, Blinkit, Byju’s, MyGate, Dream11, Flipkart, HDFC Mobile, Healthify, INDmoney, MyJio, Paytm, PaisaBazaar, ShareChat, Unacademy, Vedantu, Zepto
Even fucking Ludo King has this in its manifest file. So most Indian companies can actually see all the apps on your phone - they're just sneakier about it than the likes of Swiggy and Zepto. So much for being the good guys.
In fact, Swiggy has got this filter config too, yet it still chooses to explicitly lists the apps it queries when it could just as easily do this discreetly behind closed doors like others. But I’m not complaining. This oversight from them gives a glimpse into Swiggy’s data collection practices. If Google had enforced this policy properly, we might have had similar visibility into other companies as well.
All the manifest files I read are in my Github. The majority were downloaded on March 18 or 19.
This hack isn’t exclusively used by apps from Indian companies. I checked the manifest files of some other popular apps. Facebook, Instagram, Snapchat, Subway Surfers, and Truecaller all have this config. Meanwhile, Amazon, Spotify, X, Discord, and WhatsApp didn’t. I didn’t investigate further beyond these.
This makes me wonder, what was the whole purpose of Google's package visibility policy? It was supposed to protect users, yet most apps seem to have found ways around it anyway.
And installed app data is very sensitive and personal. In 2022, Vice reported that a data marketplace called Narrative was selling data on users who had downloaded period-tracking apps right after news emerged that Roe v. Wade (which had federally protected abortion rights in the U.S.) could be overturned. This is frightening to even think about.
Installed apps data is one data point. The extensive set of permissions each and every one of these apps have included in their manifest files, often far beyond what’s necessary is another can of worm for someone else to open.
I’ll conclude this post with a tiny example from Zepto. They ask for READ_SMS permission. You can deny it, but it’s mandatory if you sign up for Zepto Postpaid.
When you grant the permission, this is the list of sender IDs they check for in your inbox:
Most of them are TRAI sender IDs of banks. They're likely reading these for their Postpaid plan eligibility check. They can still read this even if you never opt for it. And look how they've sneaked in SMSes from Blinkit, Swiggy, Bigbasket, Flipkart too.
Their competitors are probably doing the same, they just didn’t leave behind such an obvious trail of evidence in the app itself.
The point is when any app gets permissions like READ_SMS, as users, we have no visibility over when or what it’s accessing.
Please remember the next time you casually install an app on your Android device, this information is being broadcast to the whole world. Data brokers will use it to profile you, cross-reference it with data about you from other ad networks and eventually it will be used to decide how much you’ll be asked to pay the next time you order a samosa.
Thank you for reading. In case you subscribed to this newsletter after reading the "What's inside this QR code menu at this cafe?" post and can't find it anymore. Here's my tweet about it.
I am also on Bluesky.
