This is a most excellent place for technology news and articles.
Seeing people say "GrapheneOS fixes this!" "It's only on old versions of Android!"
This is on a Pixel 8 Pro with the latest version of GrapheneOS. This is an issue and has been for a long time. Many apps detect root by looking for the Magisk package using this method, and many collect this information just for advertising (go ahead, export your Snapchat data)
It's probably because of the bubble I live in, but I most of these apps.
Same here, i hadn’t even heard of Swiggy or Ola or TATA 1mg.
Btw, there was Island on a list there.
I know apple products are mortal sin on this site, but I’m thankful I switched to iOS a decade ago. I loved my Android phones but I’ll never be assed to do CFW again, and since I don’t use my phone for much, I honestly appreciate the walled garden. Fuck apps. Messaging and basic browsing = phone. Anything else is for Big Screen.
Great. Now instead of Google, Apple collects your data :)
At least
gestures to the article we’re commenting on
THAT doesn’t happen
*if you have an older Android phone.
What do you mean? The article is talking about current versions of Android.
So the first line says that it's for older versions of android before 2022. But the next paragraph says:
For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.
So this may still be possible, however sandboxing, especially GrapheneOS' implementation likely mostly, if not entirely reduce this risk.
So this may still be possible
This article seems to be saying that's it's not only possible, it's being actively (and I would assume widely) exploited on current versions of Android. Google is supposed to catch any abuses of listed exceptions, but they are either missing a bunch or letting them intentionally slide through. Either way, apps being able to see other apps is a big security risk that IMO only the user should be able to explicitly allow, and on a case-by-case basis.
Yeah, meaning all newer phones past Android 11 shouldn't have this issue, but they do because of a workaround by shady companies that Google is either not aware of or not addressing. This issue isn't limited to older phones -- quite the opposite.
Apologies, I deleted my comment instead of editing it, but I meant to add that even with the shady workaround, if you have sandboxing it likely greatly reduces this risk.
Be very wary of what apps you install, and in fact, try to only use FOSS.
People need to stop touting FOSS as more secure. More auditable, sure. But there are many, many examples of FOSS applications being insecure or abusive.
The bottom line is just “be wary of what apps you install period.”
Sure, but I didn't mean to say that FOSS couldn't be insecure. Software itself can obviously be insecure, like we saw with xz. At least with FOSS though, it's more difficult for it to be hidden.
The second half of the article talks about how the apps get around this permission requirement.
Well that was a horrifying read. Is there any software that can protect against this? GrapheneOS? LineageOS? A Magisk module?
Island, Insular, Shelter; apps that allow managing separate profiles.
My setup: mostly Open Source apps on a custom ROM like LineageOS, the neccessary proprietary apps in shelter, connections managed via,Tracker Control. That one proprietary app that's too useful to have separate is fixed via App Manager.
Separate profiles, although graphene is supposedly working on it last I heard.
Everyone*
All***
*On some versions of Android**
*Mostly Indian apps
**Workarounds exist***
***Workaround only works for checking a hardcoded list of apps, and can't check all your apps
Informative article, but damn the clickbait
I know this happened a few years ago but would having a separate work profile through Shelter, Island, or Insular limit the app to only see those on the profile?
Yes, it would. Those basically create sandboxes.
That's what I assumed. Thanks for confirming.
