zlacker

[parent] [thread] 2 comments
1. ignora+(OP)[view] [source] 2025-03-30 14:18:46
A more recent (2023) sandboxing + isolation overview by the Android team: https://arxiv.org/html/1904.05572v3/ (section 4.3)
replies(1): >>NotPra+Lt
2. NotPra+Lt[view] [source] 2025-03-30 18:15:19
>>ignora+(OP)
> Android’s security design has fundamentally been based on a multi-party authorization model: an action should only happen if all involved parties authorize it.

> these are user, platform, and developer (implicitly representing stakeholders such as content producers and service providers). Any one party can veto the action.

How is this not anti-user? It explicitly states that the app developer should be able to veto my decisions...

replies(1): >>ignora+VM2
◧◩
3. ignora+VM2[view] [source] [discussion] 2025-03-31 13:56:56
>>NotPra+Lt
Under the shared responsibility model, such veto makes sense. Just because the end-user (the app has no way to determine if it was a thief or a spy or a monkey or the actual device owner) approves of an action doesn't mean the OS and the app have to grant authorization.

I can see how such a setup is hostile to power users, but then Android is used by 50% of all humanity, and your guess is as good as mine as to just how many want "sudo make me a sandwich" level of control.

[go to top]