Comment by AznHisoka
2 months ago
That loophole was published 5 years ago, it hasnt been fixed since.
Do you need someone from Google to explicitly write an official note, notarized, indicating they are refusing to fix it?
2 months ago
That loophole was published 5 years ago, it hasnt been fixed since.
Do you need someone from Google to explicitly write an official note, notarized, indicating they are refusing to fix it?
> refusing to fix it
Google addressed similar isolation concerns (without breaking a tonne of APIs in incompatible ways) with Private Space and Work Profile: https://source.android.com/docs/security/features/private-sp...
If it's a security issue fix, they should release it in one of the monthly security patch.
I also think that private space do not fix the underlying issue. If you have four apps and you don't want them to know about each other you can put one of them in main profile, work profile, app locker and you run out of profile for the last one. The way app locker work doesn't scale to tens of sandbox.
I know you didn't ask for this sort of answer, but you could use user profiles for this.
You can have more users on the "standard" AOSP Android as well, but with a certain AOSP-derived you can also have notifications forwarding.
Until they add Application List Scopes (I believe it's on the road map), in the exactly the same way users can now lie to apps they have only specific contacts in their contact list and only one or two specific folders in the Storage.
that proves bad faith.
they keep releasing overly complicated features to sidestep the obvious reported vulnerability, to silence power users and please corporate enterprise sysadms.
the rest of the 99.9 of users keep the vulnerability, which is very profitable for ad networks. wonder why an ad networks who maintains android would do that.