Hi, I'm not really into Android programming, but I'm a fan of privacy and concerned about the tendency of it's disappearance. Lately, I've been wondering how secure the Android platform is, and if a user can feel "somewhat" safe, if he (as an example) installs an App that claims to "not require Internet access". Most people would assume, that in theory (all possible exploits aside), if there is no way for the App to communicate to a network, there could be no way that the outside world be ever able to get hold of the App's private data (because of the SandBox).
When I stumbled across SharedUserId, which developers can use to share data between their own Apps, I got really puzzled. I mean, picture this scenario: Developer "SneakyDev" writes two Apps: A Calendar-App (SneakyCal), that requires NO granted permissions at all -and it's purpose would be obvious. A Clock-App (SneakyClock), that only requires permission for Internet-Access, because it's absolutely reasonable purpose would be to fetch the time from an NTP-Server. Now user "PrivacyGeek" finds SneakyCal in Playstore and decides to install it... he needs a calendar and also loves the fact that the app needs no permissions whatsoever (that must be super-secure, even more than the built-in one)! Some weeks later, he is at the Playstore again and stumbles across SneakyClock... and decides to install it, because a Clock-App that only requires Internet-Access for contacting NTP is just reasonable and could do no harm, because what private data could you ever store within a non-interactive clock-App, right??!! Ok... and now I'm asking myself: The user now has SneakyCal, that stores the users private agenda in it's sandboxed app-data directory ...and SneakyClock, with originally no sensitive data in it's folder, *BUT* has Internet-Access *AND* has access to all of SneakyCal's data, because it was written by the SAME DEV (who sure as hell used the SharedUserId-Feature). I mean, maybe I'm misunderstanding here something very badly, but it seems like, that by installing SneakyClock, SneakyCal is ...so to speak... also secretly granted (because it's family) all of SneakyClock's permissions.... and the naive user has NO IDEA about it, because he HAS TO TRUST in what is told him: That SneakyCal is plain and simple NOT PERMITTED access to the internet in whatever way. My conclusion: I don't think it is a very hard task at all, to use a directory as a "virtual-data-exchange-socket" to just pass data through for the sole purpose of making use of permissions that were not explicitely granted to the App. So my big and (quite) discomforting question is: Are Android-users LIED DAILY into their face about the fact, that an App from the same Developer will (effectively) automatically inhire ALL of the other CAPABILITIES of the other installed Apps of the same developer? Please tell me I misunderstood something *very* badly, because I cannot believe that a security-system can be flawed so primitively-obviously and nobody complaining about it. My point is, only because an app is not DIRECTLY granted API-ACCESS for retrieving (for example) the GPS-coordinates, if it simply can ask his "brother" (in his own "language") to pass that information, where is the difference? The information WAS delivered! Should my assumptions be correct, it makes me feel quite sad for how we all are fooled. Because then, in my opinion, they could really have skipped the whole sandbox-shit from the beginning, because it serves no other purpose than to sell a complete illusion. -Hannes -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/sSV0HsBxV78J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
