Conversation

Apr 27, 2021

wait WHAT, this is the "issue" people are talking about? that's ridiculous, you literally cannot defend an Android device against apps which can use system permissions

Quote Tweet

henry

@hdevalence

Apr 27, 2021

this isn’t a contact tracing problem, and painting it as one does a huge disservice to the privacy engineering that went into getting that protocol built and deployed

Show this thread

Replying to

It's ridiculous but you can definitely defend devices against system apps. They're still sandboxed. If an OEM bundles an app like Facebook, it doesn't get privileges it wouldn't get as a user installed app unless they go out of the way to grant each one.

Quote Tweet

Daniel Micay

@DanielMicay

Apr 27, 2021

Replying to @hdevalence

The article is definitely highly inaccurate and misleading. System apps are still sandboxed and constrained by the permission model. They don't have full access to system internals. Some (not all) system apps are priv-apps and can use privileged permissions whitelisted for them.

Replying to

yeah, i should have been clearer in saying that the OEM decides which apps get the permissions. just the point was that a malicious OEM can't be stopped by, e.g. deciding not to log things

Daniel Micay

@DanielMicay

Replying to

@saleemrash1d

I feel like the article is trying to mislead people into thinking OEMs bundling apps like Facebook give them access to these logs through bundling them. They get no additional capabilities/permissions simply from being bundled though.

4:13 PM · Apr 27, 2021Twitter Web App

Replying to

and

I don't think all that bundled 3rd party bloatware is a good thing but most of it is simply a bundled, regular app with no more capabilities than a user installed app. I have extremely low expectations for coverage of privacy and security in the media though. This is typical.