Everyone knows all the apps on your phone

(peabee.substack.com)

1192 points gniting | 1 comments | 29 Mar 25 21:26 UTC | HN request time: 0s | source

Show context

captn3m0 ◴[30 Mar 25 02:37 UTC] No.43520750[source]▶

>>43518866 (OP) #

The ACTION_MAIN loophole has been written about before: https://commonsware.com/blog/2020/04/05/android-r-package-vi...

Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.

There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331

replies(5): >>43520922 #>>43521144 #>>43521275 #>>43522877 #>>43525081 #

3abiton ◴[30 Mar 25 04:13 UTC] No.43521275[source]▶

>>43520750 #

> Google refuses to patch this.

That's why projects like XPL-Extended (and previously XPrivacyLua), are an absolute need. I never run an android phone without these.

replies(2): >>43522389 #>>43524918 #

ignoramous ◴[30 Mar 25 08:21 UTC] No.43522389[source]▶

>>43521275 #

XPrivactLua and other XposedMod/Magisk extensions break open the app sandbox. It is better to restrict running those on usereng/eng builds (test devices). For prod builds (user devices), I'd recommend using Work Profiles (GrapheneOS supports upto 31 in parallel) or Private Spaces (on Android 15+) to truly isolate apps from one another.

replies(4): >>43522525 #>>43523196 #>>43523377 #>>43523961 #

pava0 ◴[30 Mar 25 08:45 UTC] No.43522525[source]▶

>>43522389 #

What do you mean by "break open the app sandbox"?

replies(1): >>43523886 #

schnatterer ◴[30 Mar 25 13:11 UTC] No.43523886[source]▶

>>43522525 #

I found this description about the security risks of rooting very eye-opening https://madaidans-insecurities.github.io/android.html It also explains the sandbox.

replies(6): >>43524412 #>>43525977 #>>43526517 #>>43530612 #>>43538653 #>>43538685 #

1. hilbert42 ◴[31 Mar 25 03:32 UTC] No.43530612[source]▶

>>43523886 #

As dataflow says that site has an agenda. I've used rooted phones continuously since Android v4 and I've had no trouble. Moreover, I'd posit that much of the crap I remove from phones lowers the attack risk which to some degree offsets the risk of rooting.

Granted, I'm not suggesting that everyone should root their phones, in fact in recent years I even stopped suggesting it to my tech-savvy friends (that is unless they approach me for advice).

I don't need to lecture about these things but all those who've rooted their phones know the huge advantages—power and control one has over one's phone is enormous.

For example, some apps contain so many trackers that normally you'd never use them except they're the only apps suitable for one's purpose. Rooting allows you the user to take control and have them do what you want and not that of the developer.

Yes, rooting has its risks but for my purposes its benefits far outweigh them.

↑