Re: [android-developers] Here an useful feature wish for the Android guru's: app sandbox

This is really for the android-security-discuss list.

There are implementations of this idea by various research groups:
enough that you can download and use a few of them. But most of them
rely on non stock Android ROMs.

FYI, it's impossible to just "deny the permission" to an app. If you
just flat out "deny" an app the permission, it will (most likely)
crash.

Why? Because many times a permission gates an API call which returns
some piece of information an app *has to have* to function. If you
just "return null" you'll quickly crash the app. So let's consider
the alternative: return some "sensible null value". To do this, you
need to do a fairly elaborate form of control flow analysis to detect
which parts of the app must be "patched" to work with the lack of
information. This is quite nontrivial, to say the least.

The closest to the solution you want is a slight variation: don't
grant an app access to a permission until it actually attempts to
access information guarded by that permission. This is doable, but
would require similar analysis and transformation (or a non backwards
compatible change to the API). There are also groups that implement
variations of those.

Kris


On Sat, Mar 30, 2013 at 1:38 PM, sbVB <sbvillasboas@gmail.com> wrote:
> When I install and run an application, that has a set of permissions
> granted,
> I feel afraid that something bad might happen.
>
> This is the case of an interesting game, and my personal phone.
>
> If I grant the permissions, it gets dangerous.
> If I don't grant the permissions, I don't run the app.
>
> Here is the feature wish:
> I want to use some sort of "sand box", that is completely external to
> any given application (probably at operation system tier), that
> can configure for each app a set of permission denials.
>
> If I activate the permission denials of the sandbox at a
> game for instance, the game asked for some permission
> and the game believes those permissions were granted,
> so it will be installed.
> But after the installation, the sandbox will deny selected
> permissions, so that the game app will not be able to
> actually do something in the scope of the denied permission.
>
> Google and guru's: implement this and get rich !
> I considered to implement it myself.
> I could do. But as I mentioned, this works at operating
> system tier, and it is quite complex.
> If Google invites me, I would happily join the team implementing
> this. But since I have to work, I get busy, so I won´t
> implement this in near future.
> That's why I'd rather just report this wish.
>
> Yours truly,
>
> ----------------------------------------------------
> +------+ Sergio Barbosa Villas-Boas
> /------/| sbvb@sbvb.com.br
> | sbVB |/ http://www.sbVB.com.br
> +------+ +55-21-7699-1337
> +55-21-2562-8782 (Labotim)
>
> --
> --
> You received this message because you are subscribed to the Google
> Groups "Android Developers" group.
> To post to this group, send email to android-developers@googlegroups.com
> To unsubscribe from this group, send email to
> android-developers+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/android-developers?hl=en
> ---
> You received this message because you are subscribed to the Google Groups
> "Android Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to android-developers+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
---
You received this message because you are subscribed to the Google Groups "Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.