Building a cross-platform metadata resistant messaging tool is 50% research, 50% security engineering and 80% staring in horror at proposed dependencies and wondering if people are aware that not every library needs to handle arbitrary remote resources "as a feature".
Conversation
I just want to play a local audio file, and every audio dependency README is like "you can now set custom HTTP headers and cache timeouts"
1
5
31
Any this is why doesn't support images or audio yet even through "rendering images / playing audio" is "easy": "rendering images / playing audio" that may have been maliciously crafted in ways that don't leak metadata in arbitrary ways is certainly not.
2
3
40
Ideally, do that kind of thing in an isolatedProcess service:
developer.android.com/guide/topics/m
isolatedProcess services are the Chromium layer-1 sandbox implementation on Android and it's very easy to use. It's just a fully unprivileged service only able to communicate via service API.
1
1
You can load native libraries that are properly bundled in the APK, ideally using the modern approach with extraction from the APK disabled.
Ideally, decode the media there and stream the frames, etc. to the app in a trivial format. It's quite to do this for images, at least.
1
Entirely possible for a library designed for use on Android to do this internally without being part of the API. It's unfortunate that it's so underused in the ecosystem. Entirely possible to make a reusable Kotlin/Java library wrapping media libraries in that sandbox internally.
1
Can define a bunch and then use them only for specific contexts like per-conversation as Chromium does for site isolation. Can essentially use it as a thread pool but respawn them before using them for a different context to keep the different contexts properly isolated.
1
Great sandbox even without finer-grained seccomp-bpf filter on top like Chromium does. Deals with all details and is portable everywhere.
They run in a highly restricted isolated_app domain with unique, ephemeral uid/gid for each and basic seccomp-bpf like regular app sandbox.
Out of curiosity are the isolated processes also stripped of the default permissions all apps get on Android? Last I checked there was no way to publish an app without network permissions.
1
There aren't default permissions and the INTERNET permission isn't mandatory. INTERNET is not one of the user-facing runtime permissions though. One of your libraries is probably adding the INTERNET permission through their own manifest. It's not at all a baseline requirement.
1
1
Show replies