zlacker

[return to "Everyone knows all the apps on your phone"]
1. captn3+ou[view] [source] 2025-03-30 02:37:34
>>gnitin+(OP)
The ACTION_MAIN loophole has been written about before: https://commonsware.com/blog/2020/04/05/android-r-package-vi...

Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.

There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331

◧◩
2. nexle+ax[view] [source] 2025-03-30 03:09:07
>>captn3+ou
Thanks for the link, seems like the loophole is already there since the introduction of the package visibility restriction, and almost everyone and their mother knows how to bypass this restriction.

> Google refuses to patch this

While I don't believe Google engineers are not aware of this widely used loophole, do you have any source that they refused to fix it?

◧◩◪
3. AznHis+cz[view] [source] 2025-03-30 03:30:27
>>nexle+ax
That loophole was published 5 years ago, it hasnt been fixed since.

Do you need someone from Google to explicitly write an official note, notarized, indicating they are refusing to fix it?

◧◩◪◨
4. ignora+LB[view] [source] 2025-03-30 03:57:37
>>AznHis+cz
> refusing to fix it

Google addressed similar isolation concerns (without breaking a tonne of APIs in incompatible ways) with Private Space and Work Profile: https://source.android.com/docs/security/features/private-sp...

◧◩◪◨⬒
5. whs+qX[view] [source] 2025-03-30 08:49:23
>>ignora+LB
If it's a security issue fix, they should release it in one of the monthly security patch.

I also think that private space do not fix the underlying issue. If you have four apps and you don't want them to know about each other you can put one of them in main profile, work profile, app locker and you run out of profile for the last one. The way app locker work doesn't scale to tens of sandbox.

[go to top]