Comment by 3abiton
2 months ago
> Google refuses to patch this.
That's why projects like XPL-Extended (and previously XPrivacyLua), are an absolute need. I never run an android phone without these.
2 months ago
> Google refuses to patch this.
That's why projects like XPL-Extended (and previously XPrivacyLua), are an absolute need. I never run an android phone without these.
> If there is one leap that the infosec community consistently fails to make, it is this: people who are not like me, who have different needs and priorities, who have less time or are less technical, STILL DESERVE PRIVACY AND SECURITY.
https://hachyderm.io/@evacide/114184706291051769
XPrivactLua and other XposedMod/Magisk extensions break open the app sandbox. It is better to restrict running those on usereng/eng builds (test devices). For prod builds (user devices), I'd recommend using Work Profiles (GrapheneOS supports upto 31 in parallel) or Private Spaces (on Android 15+) to truly isolate apps from one another.
The question is: Who is the beneficiary of the app sandbox? Is it you, the user, because no malicious processes can taper with your apps? Or is it the corporations, because they prevent you from modifying their apps – which makes you a pure consumer?
I think, for the tech-savvy, the latter is more accurate and I think it is very important to be able to crack open these sandboxes and tinker with processes. Be it to inject ad blockers, automate them, modify their appearance, etc. It should be a right of a user to be able to do these things.
I, the user.
Malicious apps sneak through the vetting process all the time.
Genuine, honest apps have to process unsafe content (be it we pages, messages) all the time.
One exploit should at most make single App vulnerable, not expose everything I have on my phone.
Strong, restrictive sandboxing, memory and execution protections are the only safe way.
And how is destroying the sandboxing related to having more rights as a consumer? You could still patch and repack them in the way Lucky Patcher does with ads, for example?
> I think, for the tech-savvy, the latter is more accurate and I think it is very important to be able to crack open these sandboxes and tinker with processes
Anyone tech-savvy that wants to mod their Android (like they'd mod Linux distros), should consider purchasing Android devices (like Pixel) that support ownership transfer (that is, unlocking then relocking the bootloader), and flash CalyxOS/GrapheneOS usereng/eng builds.
1 reply →
Can't wait for App List Scopes, like we have with Contacts or Storage already. Not a day too early.
For a few months all the UK banks I have accounts in send the list of all apps to the mothership.
I noticed it first when suddenly Revolut refused to start up because I had an app installed, Natwest and Nationwide at least inform prior to the data collection, but weren't concerned.
It ended up with the long overdue confinement of all the banking apps in their dedicated profile, but I'd love to be able to confine them further.
You mentioned NatWest. I remember using NatWest and noticing on NoRoot Firewall (on my Android) it was 'speaking' regularly to Facebook. Of course I had all FB and IG and their IP ranges blocked from the get-go, but still. Why (TF!!!!) would my effing back telling FB that I launched their app? (one could say that they use this or that library, so the code, blah blah blah)
This is disgusting and the reason I don't use iOS. The utter lack of firewall! (plus the batterygate scandal)
I'm on Android 14 and I've been pretty happy with an app called Insular on F-Droid or Island on the Play Store. It let's you install as many instances of an app as you'd like and they'll show up in the work profile, ignorant of the others' existence.
it's a frontend to work profiles feature.
not recommended to run insular anymore. use Shelter for a14
What do you mean by "break open the app sandbox"?
I found this description about the security risks of rooting very eye-opening https://madaidans-insecurities.github.io/android.html It also explains the sandbox.
8 replies →