QUERY_ALL_PACKAGES permission in GrapheneOS?

MMatthai · Jun 6, 2024

So in Slovenia we now have some cases, when banking apps are refusing to work for users, that have AnyDesk (and similar apps for remote access) installed on the phone.

It seems that an app can see all installed applications if it has granted QUERY_ALL_PACKAGES permission.

While I certainly understand the motivation for this and why this would be good to protect users from malware and scammers, I feel that this is some kind of a privacy violation. I mean, why a banking app needs to see what applications I am using?? And also - there are some users, that legitimately use and need AnyDesk (and similar apps).

What is the GrapheneOS approach to this? I understand that user can have a different profile for banking app, however I would like to see a feature similar to "contact scopes", so an option that user can set which apps are visible through QUERY_ALL_PACKAGES permission and which not.

matchboxbananasynergy · Jun 6, 2024

Apps can see what other apps you have installed in the same profile via indirect ways that don't require QUERY_ALL_PACKAGES. That permission isn't really what gates app from being or not being able to do this.

If you want apps to not know about each other, put them in separate profiles.

This might be tackled when the app communication scopes feature is done, but it's too early to say at this time.