To enable app interoperability, the Android platform exposes APIs that allow developers to query for the list of apps installed on a user’s device. These Installed Application Methods (IAMs) require no special authorization and it is known that information collected through these methods can be used to precisely deduce end-users interests and personal traits, thus raising privacy concerns.

In this paper we present a large-scale empirical study investigating the presence of IAMs in Android apps and their usage by Android developers. The study targets 14,342 free Android apps published in the Google Play Store and 7,886 open-source Android applications mined from GitHub. In our analysis, we first detect which apps employ IAMs. We then extracts information related to the fields accessed through these APIs. Finally, we check whether IAM calls are performed in the app’s own code or by an included third-party library. In addition to our analysis, we investigate whether developers are aware of the presence of IAMs in their apps by means of an online questionnaire.

Our results highlight that: (i) IAMs are widely used in commercial applications while their popularity is limited in open-source ones; (ii) in both open- and closed-source apps IAMs are mostly used in third-party libraries; (iii) more than one third of libraries that employ IAMs are advertisement libraries and roughly one other third are utility libraries; (iv) a small number of popular advertisement libraries account for over 33% of all usages of IAMs by third-party libraries; (v) developers are not always aware that their apps include IAMs calls, often introduced by enclosed third-party libraries.

Based on the collected data, we suggest some changes to the Android platform to deal with identified issues, provide recommendations to end-users and highlight directions for future research.