←back to thread

Everyone knows all the apps on your phone

(peabee.substack.com)
1192 points gniting | 1 comments | 29 Mar 25 21:26 UTC | HN request time: 0.927s | source
Show context
captn3m0 ◴[30 Mar 25 02:37 UTC] No.43520750[source]
The ACTION_MAIN loophole has been written about before: https://commonsware.com/blog/2020/04/05/android-r-package-vi...

Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.

There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331

replies(5): >>43520922 #>>43521144 #>>43521275 #>>43522877 #>>43525081 #
fluidcruft ◴[30 Mar 25 15:49 UTC] No.43525081[source]
It seems like the ACTION_MAIN loophole could be fixed (eventually) if apps that declare it are required to actually be launchers. It seems like legitimate integrations should have more specific intents.

At that point, Android prompting if random game you just downloaded should be your defaut launcher seems pretty dangerous interaction for sneaky apps to risk. They either cause the user to bounce and report or the fools select it as default launcher, replace their launcher, can't provide the launcher functionality and break the user's home screen and end up getting reported in Play Store. I also assume actually getting published as a launcher-class app at that point brings automated testsuites and other requirements that will be burdensome for developers.

replies(1): >>43535508 #
1. robertlagrant ◴[31 Mar 25 14:31 UTC] No.43535508[source]
That sounds very sensible.