Google Keyboard w/ Network Permission Revoked

de0u

WestQuester Here is an example of a user who was surprised to find that an app was using IPC to fetch advertisements from Google Play: https://discuss.grapheneos.org/d/9943-app-displaying-ads-without-any-permissions

WestQuester

DeletedUser495 What have I written that makes you think I've downplayed IPC? I want to know the reality of its abilities and limitations (thus I said "I'm not sure if concerns...is warranted or not....I don't know for sure. I would love to know more about IPC and what is/isn't possible on the sandboxed versions in GOS").

I'm neither promoting dismissing IPC, nor am I promoting alarmism that apps are sharing data all over to circumvent network permissions (like malware).

I agree, sandboxing does not prevent IPC, but IPC isn't just a free-for-all data sharing either. Permissions still have some effect (e.g., contacts being denied one app doesn't mean that it can just get it through IPC from another). I don't understand exactly how it works or its abilities or limitations, thus my query.

I've read just about every thread on this forum dealing with IPC and numerous articles. The scope and implications for privacy are still not clear to me.

Probably9857

WestQuester Permissions still have some effect

Yes, but...

WestQuester contacts being denied one app doesn't mean that it can just get it through IPC from another

That is precisely what is possible via IPC, with the caveats:

The app providing the data of course must have permission to access that data in the first place
The two apps must both agree to the sharing

The permissions of the app receiving the shared data are not really relevant.

LGgos

One could argue that anything Google is malware colluding with other malware, but of course this would be personal opinion.

MineralWater

I think the whole concept of GrapheneOS sandboxing the Google Apps would be completely useless if IPC would give access to all data within a profile.

So there must be limitations. Even Google would be in heavy trouble if they would construct their OS in a way that once the phone is unlocked all data can be accessed by simply building an app.

LGgos

There has to be mutual consent between the apps. My only thought is that mutual consent between Google apps (and maybe any app using their services) is kind of a given.

I'm sure there's a good reason that filtering is in the works.

DeletedUser495

LGgos My only thought is that mutual consent between Google apps (and maybe any app using their services) is kind of a given.

👆

WestQuester

Probably9857 The permissions of the app receiving the shared data are not really relevant.

In other words, you are saying that I could have 15 apps that do not have contact permissions, and one app that has contact permission and theoretically this one app could gleefully share contacts with the 15 that have been denied, negating permissions altogether.

This implies that you can never be sure that if you give one app permissions to access something, that they all don't have it.

The developers guide indicates that an app should be designed to verify permissions before sharing information, so I suppose it's possible but that would also mean that any app which shares things like contact data are not checking and would be a significant security flaw.

Probably9857

WestQuester In other words, you are saying that I could have 15 apps that do not have contact permissions, and one app that has contact permission and theoretically this one app could gleefully share contacts with the 15 that have been denied, negating permissions altogether.

In theory, yes.

WestQuester It's concerning that this check isn't done by the OS but is left to each individual app.

It would be impossible for the OS to enforce if 2 apps collaborated to work around it.

Multiple profiles (or multiple devices) can mitigate this risk.

The planned app scopes feature is an attempt to block all IPC between apps, unless explicitly allowed by the user. Last I heard, this was proving more difficult than expected.

WestQuester

Any apps which collect personal information will, by default, have that data restricted only to the specific app. If an app chooses to make the data available to other apps though IPC, the app granting access can apply permissions to the IPC mechanism that are enforced by the operating system.

https://source.android.com/docs/security/overview/app-security

That indicates to me that a granting app would have to neglect to check for permissions, which would be a security issue. It's concerning that this check isn't done by the OS but is left to each individual app.

Fay_Wilmont

Maybe just treat groups of apps from the same company/developer as worthy or not worthy of internet access, sensitive permissions etc (or don't combine them in the same profile). I.e. if you don't want to grant Gboard internet access, and you have Play Services by the same developer, don't grant Play Services internet access either.

Same for Meta apps, or even Meta apps and websites containing Meta code:
https://www.ru.nl/en/research/research-news/new-research-highlights-privacy-abuse-involving-meta-and-yandex

Native Android apps, such as Facebook or Instagram, silently listen on fixed local ports to receive web tracking data from their web tracking solutions without user consent.

For that matter, even though apps come from totally different developers, lots of them share the same libraries by scumbag tracking companies, which may very well decide to talk to eachother across apps.

So better than trying to restrict apps you don't trust, is trying to restrict apps that you feel are probably trustworthy to begin with. Apps without trackers, apps with a privacy first approach etc.

Better to use an open source keyboard app with no trackers and minimal permissions from a developer that's pro privacy¹ to begin with, than trying to restrict one made by an online advertising monopolist.

¹ Until they decide to sell out of course *cough* Simple Mobile Tools *cough*

WestQuester

Fay_Wilmont Maybe just treat groups of apps from the same company/developer as worthy or not worthy of internet access, sensitive permissions etc (or don't combine them in the same profile). I.e. if you don't want to grant Gboard internet access, and you have Play Services by the same developer, don't grant Play Services internet access either.

In an ideal world, yes. But there are tradeoffs on time and effort.

In my case, I tried denying Play Services network access and Slack and Uber broke, both of which I need to use regularly. So I have to give it network access.

I tried using Textra and SMS, but people were sending me RCS messages and they were never delivered, causing me to miss some very important communications. I prefer Signal but I can't expect everyone I know to use it. So I have to have Google Messages. I tried denying it contacts but that wastes a lot of time trying to look up a contact's information and then separately creating a message to them, dozens of times a day. So Google Messages has access to my contacts. I don't use it signed into an account but who knows if that's effective at all.

I tried multiple keyboards. I regularly use swiping and not as many keyboards support that. I tried several for months and spent far too much time correcting typos. Gboard works nearly flawlessly immediately so I use it without network permissions.

I tried multiple cameras. Google's has the best, most reliable features for my daily use.

I tried putting things in a separate profile. It takes time to constantly switch back and forth and I didn't enjoy it.

So in my case, I don't like the reality of it, but I've decided that I prefer to live with this privacy concern than constantly live with a dozen work-arounds. But then again for me privacy is more of a principle thing: my life isn't depending on it.

App scopes would be wonderful, if that ever gets implemented. Then I can have the best (or better) of both worlds.

« Previous Page