Conversation

Jul 19, 2019

If you think that the #media files you receive on your end-to-end #encrypted secure messaging apps can not be tampered with, you need to think again!

@TheHackersNews

explore this new type of media form jacking below.

thehackernews.com

Hackers Can Manipulate Media Files You Receive Via WhatsApp and Telegram

WhatsApp and Telegram messenger could allow malicious apps installed on your device to manipulate incoming media files, and spread fake news or scam you into sending payments to the wrong account.

123

Replying to

and

I’ve never coded for android but dream in Linux ... How is it that android (based on Linux) does not run each app as a underprivileged user and set ‘owner only read’ permissions on files it writes to external storage??? This seems bloody obvious and relatively easy to implement.

Replying to

and

> How is it that android (based on Linux) does not run each app as a underprivileged user Each app runs with a unique user / group for the app in the profile. They also run within a unique instance of the untrusted_app SELinux domain, which implements most of the isolation.

Replying to

> set ‘owner only read’ permissions on files it writes to external storage The usual storage location for apps is in their internal app sandbox. External means outside of the app sandbox and requesting access to external storage is a legacy approach to sharing data between apps.

Replying to

The whole point of external storage is that it's shared storage between apps. The ability to request global access to it was a poor design that started to be phased out in Android 4.4 which introduced granting case-by-case file access instead. 5.0 extended that to directories.

Replying to

Scoped storage (developer.android.com/preview/privac) will finally remove the legacy approach to shared storage, by getting rid of storage permissions to request global external storage read / write access. It emulates the legacy approach with a scoped directory but it's not the intended use.

Replying to

developer.android.com/guide/topics/p is how apps were supposed to access storage since Android 4.4. It opens a system file picker and the user chooses the files / directories. This way, there are no permissions, and they can select files / directories from external drives or app providers.

11:32 AM · Jul 20, 2019Twitter Web Client

Replying to

Unfortunately, there was massive pushback against Scoped Storage from anti-privacy app developers. They successfully misrepresented the feature and used journalists and power user communities as tools to fight against it. Apps can now opt-out of it until the Android R API level.

Replying to

Is there any mitigation in a foreseable future? Can

@GrapheneOS

deal with this situation and support the Scoped-Storage-like features?

Show replies