Weird that if an apk has `android:autoVerify="true"` for any site associations - that the package manager will beacon out to those sites w/ device information (build, etc) from your device w/o any acknowledgement, notification or choice?
developer.android.com/training/app-l
Conversation
Note that this occurs before you've ever run the application - but now the sites they listed in the APK already know your device build, ip address, etc --- all prior to any user interaction
1
2
Oh and this all occurs regardless of installation path, e.g. - ADB, third party market or Google Play --- since this is part of the PackageManager that's built in.
1
Replying to
It's done by IntentFilterVerifier. The package manager triggers it and will still work with it disabled. Since the INTERNET permission is only static information in the manifest like this rather than a user-facing permission with a toggle, it doesn't really make much difference.
Replying to
Yup, I caught this via some testing which was restricting that verifier. Just didn't know this was a thing/happening for a while.
Seems odd, not saying it's extremely bad or anything, but seems like it could have been done at the time of intentfilter usage?
1
Replying to
I think the reasoning behind attempting to do it as early as possible is that it might not work later. The site could go down, have high latency, etc. We haven't decided if we should change anything about it in GrapheneOS. Need to look into details of the semantics a bit more.
1
Show replies
You can disable the app implementing this via the Settings app. The user-facing name of the app is "Intent Filter Verification Service". So, in that sense, there is a toggle available for the functionality as a whole.
1
1