Comment by captn3m0
2 months ago
The ACTION_MAIN loophole has been written about before: https://commonsware.com/blog/2020/04/05/android-r-package-vi...
Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.
There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331
It seems like the ACTION_MAIN loophole could be fixed (eventually) if apps that declare it are required to actually be launchers. It seems like legitimate integrations should have more specific intents.
At that point, Android prompting if random game you just downloaded should be your defaut launcher seems pretty dangerous interaction for sneaky apps to risk. They either cause the user to bounce and report or the fools select it as default launcher, replace their launcher, can't provide the launcher functionality and break the user's home screen and end up getting reported in Play Store. I also assume actually getting published as a launcher-class app at that point brings automated testsuites and other requirements that will be burdensome for developers.
That sounds very sensible.
> Google refuses to patch this.
That's why projects like XPL-Extended (and previously XPrivacyLua), are an absolute need. I never run an android phone without these.
> If there is one leap that the infosec community consistently fails to make, it is this: people who are not like me, who have different needs and priorities, who have less time or are less technical, STILL DESERVE PRIVACY AND SECURITY.
https://hachyderm.io/@evacide/114184706291051769
XPrivactLua and other XposedMod/Magisk extensions break open the app sandbox. It is better to restrict running those on usereng/eng builds (test devices). For prod builds (user devices), I'd recommend using Work Profiles (GrapheneOS supports upto 31 in parallel) or Private Spaces (on Android 15+) to truly isolate apps from one another.
The question is: Who is the beneficiary of the app sandbox? Is it you, the user, because no malicious processes can taper with your apps? Or is it the corporations, because they prevent you from modifying their apps – which makes you a pure consumer?
I think, for the tech-savvy, the latter is more accurate and I think it is very important to be able to crack open these sandboxes and tinker with processes. Be it to inject ad blockers, automate them, modify their appearance, etc. It should be a right of a user to be able to do these things.
3 replies →
Can't wait for App List Scopes, like we have with Contacts or Storage already. Not a day too early.
For a few months all the UK banks I have accounts in send the list of all apps to the mothership.
I noticed it first when suddenly Revolut refused to start up because I had an app installed, Natwest and Nationwide at least inform prior to the data collection, but weren't concerned.
It ended up with the long overdue confinement of all the banking apps in their dedicated profile, but I'd love to be able to confine them further.
1 reply →
I'm on Android 14 and I've been pretty happy with an app called Insular on F-Droid or Island on the Play Store. It let's you install as many instances of an app as you'd like and they'll show up in the work profile, ignorant of the others' existence.
1 reply →
What do you mean by "break open the app sandbox"?
9 replies →
Thanks for the link, seems like the loophole is already there since the introduction of the package visibility restriction, and almost everyone and their mother knows how to bypass this restriction.
> Google refuses to patch this
While I don't believe Google engineers are not aware of this widely used loophole, do you have any source that they refused to fix it?
That loophole was published 5 years ago, it hasnt been fixed since.
Do you need someone from Google to explicitly write an official note, notarized, indicating they are refusing to fix it?
> refusing to fix it
Google addressed similar isolation concerns (without breaking a tonne of APIs in incompatible ways) with Private Space and Work Profile: https://source.android.com/docs/security/features/private-sp...
4 replies →
Submitting it to the Android VDP is a solid idea, though I wouldn't be surprised if it gets waved off as "working as intended."
The right ("as intended", in my view) functionality would be to support a manifest with, say, five apps, and if as a dev you wanted more youd apply to google for an exception (like aws limit increases) with a list of reasons for each app.
I know people may not remember this, but Android was initially designed with interoperability in mind. It's sad to see both the system development and the community opinion to have turned against it so hard.
What do you mean with "refused to patch this"? Google will reject any app publishing attempt that asks for that filter and isn't a launcher on Play store.
How is that congruent with the article's claim that 31 out of 47 apps they tested had this filter?
No idea, but we did have apps rejected because of similar permissions.
2 replies →
Author claims that this same hack is used widely, including by apps on the Play Store like Snapchat and Facebook.
The HSBC bank app uses this and is in the Play Store.