[pritambaral]

I used to use sth like that too. Then a set of apps from a scummy telephony provider in my country showed me evidence of how they circumvent this.

Turned out, all apps from this vendor talked to each other, in the background. If one app has filesystem access but no network access, and another has network but no filesystem access, the former can upload private filesystem data by sending it through the latter.

[hiatus]

How do apps utilize permissions of other apps? How does the filesystem app communicate with the network app if it does not have network privileges and other app has no filesystem privileges (ie there is no shared channel)?

[pritambaral]

Android supports IPC.

[MonaroVXR]

How did you figure that out?

[pritambaral]

Initial suspicion: Apps I had explicitly killed (equivalent to Force Stop) would start running. Most of these apps had no background services (or any reason to run in the background) and no notifications to show either. But they did have one thing in common: the vendor.

Further suspicion: Apps remain killed, for long periods of time, if I don't start any of them.

Quick test: Kill all apps. Start them one by one. Check if other apps are now running.

Confirmation: Pull APKs from device; RE their code for IPC.

[cubesnooper]

Reminds me of this classic: https://web.archive.org/web/20160720140639/https://www.csd.u...

You’ve given me something to think about. Luckily, I only have to amend my mental model a bit, to assume giving a permission to any vendor’s app is to give that permission to every app from that vendor. In most cases where that would be a problem, I already run such apps under a separate user profile, which fully prevents IPC.