←back to thread

Everyone knows all the apps on your phone

(peabee.substack.com)
1192 points gniting | 1 comments | 29 Mar 25 21:26 UTC | HN request time: 0.198s | source
Show context
captn3m0 ◴[30 Mar 25 02:37 UTC] No.43520750[source]
The ACTION_MAIN loophole has been written about before: https://commonsware.com/blog/2020/04/05/android-r-package-vi...

Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.

There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331

replies(5): >>43520922 #>>43521144 #>>43521275 #>>43522877 #>>43525081 #
3abiton ◴[30 Mar 25 04:13 UTC] No.43521275[source]
> Google refuses to patch this.

That's why projects like XPL-Extended (and previously XPrivacyLua), are an absolute need. I never run an android phone without these.

replies(2): >>43522389 #>>43524918 #
ignoramous ◴[30 Mar 25 08:21 UTC] No.43522389[source]
XPrivactLua and other XposedMod/Magisk extensions break open the app sandbox. It is better to restrict running those on usereng/eng builds (test devices). For prod builds (user devices), I'd recommend using Work Profiles (GrapheneOS supports upto 31 in parallel) or Private Spaces (on Android 15+) to truly isolate apps from one another.
replies(4): >>43522525 #>>43523196 #>>43523377 #>>43523961 #
subscribed ◴[30 Mar 25 11:49 UTC] No.43523377[source]
Can't wait for App List Scopes, like we have with Contacts or Storage already. Not a day too early.

For a few months all the UK banks I have accounts in send the list of all apps to the mothership.

I noticed it first when suddenly Revolut refused to start up because I had an app installed, Natwest and Nationwide at least inform prior to the data collection, but weren't concerned.

It ended up with the long overdue confinement of all the banking apps in their dedicated profile, but I'd love to be able to confine them further.

replies(1): >>43524529 #
1. HenryBemis ◴[30 Mar 25 14:34 UTC] No.43524529[source]
You mentioned NatWest. I remember using NatWest and noticing on NoRoot Firewall (on my Android) it was 'speaking' regularly to Facebook. Of course I had all FB and IG and their IP ranges blocked from the get-go, but still. Why (TF!!!!) would my effing back telling FB that I launched their app? (one could say that they use this or that library, so the code, blah blah blah)

This is disgusting and the reason I don't use iOS. The utter lack of firewall! (plus the batterygate scandal)