Hi, I recently watched Android Vulnerabilities, Exploits, and Malware Explained, which gave me a good introduction on how the general Android security model works.
But it lacks practical information at the app sandbox layer - e.g. what would be "reasonable" steps to ensure or restore a clean environment in case of a potential exploit within an app. As GrapheneOS user I'd also be interested in explanations scoped to this operation system, if deviating from general Android AOSP.
Let's take a threat model example:
- Tor Browser (for Android, just named "Tor Browser" in this post) is used for anonymous surfing.
- Suspicious website
evil.com is accidentally visited with JavaScript enabled.
evil.com abuses a hypothetical vulnerability of Tor Browser, using some sort of JavaScript exploit. (1)- Tor Browser is granted "Network" and "Notifications" permissions.
I am wondering what would be a reasonable, best-effort approach to re-establish a clean environment for the exploited app (here Tor Browser) and whole Android system, given we want to continue using Tor Browser.
- Is it needed to uninstall and reinstall the app?
- Is it sufficient to delete its cache/app data and just restart the app?
- More specifically: Can an exploited app binary be modified in-place during usage, e.g. to integrate a persistent malware? Or is only app data/cache affected?
- I guess this compromised app would need to break out of app sandbox and circumvent SELinux protections to do more system-wide harm, hence a (persistent) system compromise is "much more unlikely"?
- Could this compromised app leverage app permissions to persist itself in other ways, like via filesystem?
Thanks in advance!
(1): This would be inline with recommendations by GrapheneOS developers stating that Firefox-like browsers have weaker security than Chromium-based browsers, so something like Vanadium is preferred. Still Vanadium lacks privacy-protecting features and cannot anonymize your IP.