←back to thread

Everyone knows all the apps on your phone

(peabee.substack.com)
1192 points gniting | 1 comments | 29 Mar 25 21:26 UTC | HN request time: 0.211s | source
Show context
captn3m0 ◴[30 Mar 25 02:37 UTC] No.43520750[source]
The ACTION_MAIN loophole has been written about before: https://commonsware.com/blog/2020/04/05/android-r-package-vi...

Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.

There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331

replies(5): >>43520922 #>>43521144 #>>43521275 #>>43522877 #>>43525081 #
nexle ◴[30 Mar 25 03:09 UTC] No.43520922[source]
Thanks for the link, seems like the loophole is already there since the introduction of the package visibility restriction, and almost everyone and their mother knows how to bypass this restriction.

> Google refuses to patch this

While I don't believe Google engineers are not aware of this widely used loophole, do you have any source that they refused to fix it?

replies(1): >>43521048 #
AznHisoka ◴[30 Mar 25 03:30 UTC] No.43521048[source]
That loophole was published 5 years ago, it hasnt been fixed since.

Do you need someone from Google to explicitly write an official note, notarized, indicating they are refusing to fix it?

replies(1): >>43521207 #
ignoramous ◴[30 Mar 25 03:57 UTC] No.43521207[source]
> refusing to fix it

Google addressed similar isolation concerns (without breaking a tonne of APIs in incompatible ways) with Private Space and Work Profile: https://source.android.com/docs/security/features/private-sp...

replies(3): >>43521733 #>>43522550 #>>43525302 #
1. 1oooqooq ◴[30 Mar 25 16:22 UTC] No.43525302[source]
that proves bad faith.

they keep releasing overly complicated features to sidestep the obvious reported vulnerability, to silence power users and please corporate enterprise sysadms.

the rest of the 99.9 of users keep the vulnerability, which is very profitable for ad networks. wonder why an ad networks who maintains android would do that.