Weird that if an apk has `android:autoVerify="true"` for any site associations - that the package manager will beacon out to those sites w/ device information (build, etc) from your device w/o any acknowledgement, notification or choice?
developer.android.com/training/app-l
Conversation
Note that this occurs before you've ever run the application - but now the sites they listed in the APK already know your device build, ip address, etc --- all prior to any user interaction
1
2
Oh and this all occurs regardless of installation path, e.g. - ADB, third party market or Google Play --- since this is part of the PackageManager that's built in.
1
Replying to
It's done by IntentFilterVerifier. The package manager triggers it and will still work with it disabled. Since the INTERNET permission is only static information in the manifest like this rather than a user-facing permission with a toggle, it doesn't really make much difference.
2
Replying to
Yup, I caught this via some testing which was restricting that verifier. Just didn't know this was a thing/happening for a while.
Seems odd, not saying it's extremely bad or anything, but seems like it could have been done at the time of intentfilter usage?
1
Replying to
I think the reasoning behind attempting to do it as early as possible is that it might not work later. The site could go down, have high latency, etc. We haven't decided if we should change anything about it in GrapheneOS. Need to look into details of the semantics a bit more.
Replying to
Yea, I can think of reason why it would be good to do - though it seems odd to do before the app is allowed to interact with system, imho
1
It's essentially giving a non-executable application the ability to see some device info and register handlers before the user has ever interacted with it (extra entry points) --- though I'm sure the later is actually the primary use-case