Comment by UncleMeat - Hacker Neue

UncleMeat 4 days ago parent

> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.

You've never needed the internet permission to exfiltrate data. Just send an intent to the browser app to load a page owned by the attacker with the data to be exfilled in the query parameters.

gumby271 4 days ago

Wouldn't that launch the browser app and bring it to the foreground? I wouldn't compare that to having full network access.

UncleMeat OP 3 days ago

It'd launch the browser app. You can have your evil page redirect to a benign page so it just looks like Chrome randomly opened or whatever. It is not as powerful as full network access as you can only send so much information in query parameters, but if you are doing some phishing or stealing sms 2fa codes or whatever then it is plenty to send back whatever payload you wanted to.

And of course basically every app requires internet permissions for ordinary behavior. The world where an explicit internet permission would somehow get somebody to look askance at some malware that they were about to download is just not believable.

alexey-salmin 3 days ago

The ability to launch other apps can be put behind a permission screen too.

This item has no comments currently.