Everyone knows all the apps on your phone

(peabee.substack.com)

1192 points gniting | 5 comments | 29 Mar 25 21:26 UTC | HN request time: 0.21s | source

Show context

captn3m0 ◴[30 Mar 25 02:37 UTC] No.43520750[source]▶

>>43518866 (OP) #

The ACTION_MAIN loophole has been written about before: https://commonsware.com/blog/2020/04/05/android-r-package-vi...

Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.

There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331

replies(5): >>43520922 #>>43521144 #>>43521275 #>>43522877 #>>43525081 #

nexle ◴[30 Mar 25 03:09 UTC] No.43520922[source]▶

>>43520750 #

Thanks for the link, seems like the loophole is already there since the introduction of the package visibility restriction, and almost everyone and their mother knows how to bypass this restriction.

> Google refuses to patch this

While I don't believe Google engineers are not aware of this widely used loophole, do you have any source that they refused to fix it?

replies(1): >>43521048 #

AznHisoka ◴[30 Mar 25 03:30 UTC] No.43521048[source]▶

>>43520922 #

That loophole was published 5 years ago, it hasnt been fixed since.

Do you need someone from Google to explicitly write an official note, notarized, indicating they are refusing to fix it?

replies(1): >>43521207 #

1. ignoramous ◴[30 Mar 25 03:57 UTC] No.43521207[source]▶

>>43521048 #

> refusing to fix it

Google addressed similar isolation concerns (without breaking a tonne of APIs in incompatible ways) with Private Space and Work Profile: https://source.android.com/docs/security/features/private-sp...

replies(3): >>43521733 #>>43522550 #>>43525302 #

2. ◴[30 Mar 25 06:01 UTC] No.43521733[source]▶

>>43521207 (TP) #

3. whs ◴[30 Mar 25 08:49 UTC] No.43522550[source]▶

>>43521207 (TP) #

If it's a security issue fix, they should release it in one of the monthly security patch.

I also think that private space do not fix the underlying issue. If you have four apps and you don't want them to know about each other you can put one of them in main profile, work profile, app locker and you run out of profile for the last one. The way app locker work doesn't scale to tens of sandbox.

replies(1): >>43523423 #

4. subscribed ◴[30 Mar 25 11:57 UTC] No.43523423[source]▶

>>43522550 #

I know you didn't ask for this sort of answer, but you could use user profiles for this.

You can have more users on the "standard" AOSP Android as well, but with a certain AOSP-derived you can also have notifications forwarding.

Until they add Application List Scopes (I believe it's on the road map), in the exactly the same way users can now lie to apps they have only specific contacts in their contact list and only one or two specific folders in the Storage.

5. 1oooqooq ◴[30 Mar 25 16:22 UTC] No.43525302[source]▶

>>43521207 (TP) #

that proves bad faith.

they keep releasing overly complicated features to sidestep the obvious reported vulnerability, to silence power users and please corporate enterprise sysadms.

the rest of the 99.9 of users keep the vulnerability, which is very profitable for ad networks. wonder why an ad networks who maintains android would do that.

↑