[gf000]

Good point and thanks for the heads up.

Mostly asking it as a question, given that graphene runs Google play services (optionally) as a normal, sandboxed service with no special permissions might help a bit, but I guess unless you disable networking for every other service installed, this is sort of impossible to plug 100%? IPC can be quite the security hole.

[lucb1e]

Only if the other services provide a network proxy right? You'd need to find an exploit in the app otherwise.

Edit: although, I just remembered that it's actually as simple as sending "open this URL" intents to the Android equivalent of sensible-browser, which everyone will have installed. That does rely on users not understanding or caring about what's happening or it only works for the first user

[gf000]

Yeah, there are endless holes unfortunately with IPC. It has been hardened by more recent android versions https://developer.android.com/guide/topics/manifest/queries-...

but even something like "share via Chat app" can be used to leak information, e.g. it will have the link preview loaded".

[a022311]

Yes IPC is definitely a security hole, but because the two apps communicating need to both explicitly support it (I really doubt there'd be an exploitable vulnerability here of all places), it's a much smaller concern. Here I'd mainly worry about apps like Google Photos talking to Google Play Services. GrapheneOS has mentioned they'd like to implement IPC scopes to isolate apps, just like contact scopes and storage scopes.