Comment by nexle

2 months ago

Thanks for the link, seems like the loophole is already there since the introduction of the package visibility restriction, and almost everyone and their mother knows how to bypass this restriction.

> Google refuses to patch this

While I don't believe Google engineers are not aware of this widely used loophole, do you have any source that they refused to fix it?

6 comments

nexle

Reply
AznHisoka  2 months ago

That loophole was published 5 years ago, it hasnt been fixed since.

Do you need someone from Google to explicitly write an official note, notarized, indicating they are refusing to fix it?

  • ignoramous  2 months ago

    > refusing to fix it

    Google addressed similar isolation concerns (without breaking a tonne of APIs in incompatible ways) with Private Space and Work Profile: https://source.android.com/docs/security/features/private-sp...

    • whs  2 months ago

      If it's a security issue fix, they should release it in one of the monthly security patch.

      I also think that private space do not fix the underlying issue. If you have four apps and you don't want them to know about each other you can put one of them in main profile, work profile, app locker and you run out of profile for the last one. The way app locker work doesn't scale to tens of sandbox.

      1 reply →

    • 1oooqooq  2 months ago

      that proves bad faith.

      they keep releasing overly complicated features to sidestep the obvious reported vulnerability, to silence power users and please corporate enterprise sysadms.

      the rest of the 99.9 of users keep the vulnerability, which is very profitable for ad networks. wonder why an ad networks who maintains android would do that.