get-installed-related-apps

get-installed-related-apps copied to clipboard

I don't follow the claim about non-fingerprint-ability. If I'm a company with a large number of apps (e.g. google), with 16-32 apps registered in app stores, the subset of which apps any user has installed is likely to be a very strong semi-identifier, no, and so be extremely risky for the user / valuable for the fingerprinter, no?

Apologies if I'm misunderstanding, but this seems like a very clear privacy risk.

Put differently, if this isn't a privacy risk, whats the rational behind disallowing this in private browsing mode?

whats the rational behind disallowing this in private browsing mode

The concern was that if a website can know that the corresponding native app is installed, it might force users to use that native version instead and make them leave their private browsing mode. It also falls in line with private browsing expectations.

This would be a privacy improvement to 100% of origins, at the expense of providing a privacy mode detector with a non-negligible false positive rate to a very very small percentage of origins.

I just learned about this API and I have similar concerns to @pes10k , but I think that the attack surface might be even bigger because of the app version being leaked. Consider:

• staged rollouts that limit % of users with given version and allow to target specific countries and
• closed and internal testing that allows to target organizations and individuals with specific version.