dessant 23 days ago [-]
A revocable permission for network access on Android would be a great step towards giving users more control over which apps can transmit their personal data.

An entire class of apps could be rendered safe by disallowing network access, especially the ones that do work offline, but are keen to phone home.

kace91 23 days ago [-]
The problem is when an app finds a bullshit excuse to refuse to work unless they're provided all wanted permissions. even if they don't hard block their content that way, in practice, people are just going to flip the switch that makes the app work or make a dialog go away without reading.

I just don't think pushing the choice of permissions to the end user is a good idea, not by itself. UX teaches us that people are lazy and will go through the easiest path.

kevin_thibedeau 23 days ago [-]
LineageOS has the solution to this problem. You can revoke fine grained capabilities while letting the app still think it has the permissions.
userbinator 23 days ago [-]
Indeed. On the desktop, this is also known as a firewall. All apps practically think they have "network permissions", but if they actually try to make a connection, it will either time out or return errors.
jdc 23 days ago [-]
For Android users, there's the NoRoot Firewall app, which works via the VPN interface.
kawera 23 days ago [-]
I've been using NetGuard for a few months with good results: https://github.com/M66B/NetGuard (by the author of XPrivacy)
zamadatix 23 days ago [-]
For just networking sure, this approach also covers all other permissions though.
bscphil 23 days ago [-]
What operating systems have built in support for firewalling specific applications?
squiggleblaz 23 days ago [-]
Having moved from Windows to Linux partially because Windows was about as secure as a flyscreen door, I've recently switched back to Windows.

Whenever a version of an app wants to provide a network service, Windows first asks if this specific app can provide network services on this class of network (public connection or private connection). So it is not just builtin, but for a particular class of restriction even easy to use. Blocking consumption of resources is an advanced feature though.

I used to use a program called "firestarter" on Linux, which provided a way to block specific apps. Long time since I've done that though, since most of the untrusted apps on Linux are Chrome and the ones you run in Firefox.

viraptor 23 days ago [-]
Depends what you mean by built-in. On Linux you can easily start something either in a namespace with no network, or filter out network calls by syscalls. Selinux/apparmor/tomoyo give you more fine grained control over what can be done over the network.
dogmatism 23 days ago [-]
Linux generally comes with iptables which can be used for it, but more efficiently most distributions have some system for access control like SELinux or apparmor which can also do it. Sorry not familiar if this is a thing on Windows/Mac/BSD's. In fact I think Android has SELinux built in, but not user accessible without root.
toast0 23 days ago [-]
Desktop windows has this.

FreeBSD ipfw can firewall by userid, and Android runs each app under a different user (and would probably run apps in jails on FreeBSD, jail IDs are also available for firewalling)

hirsin 23 days ago [-]
Windows has for over a decade, I assume Linux does too.
nvr219 23 days ago [-]
Windows XP and later
decoyworker 23 days ago [-]
There should me a method of taking this further. Like having the real radio, sensor, etc information but also having a mocked version of these interfaces. The user can toggle mocked or real interface and the app has no idea which it is receiving. Each one can be faked in its own specific way (spoofed GPS looks different than spoofed accelerometer, etc).

Edit: Disclaimer I have almost 0 knowledge of Android development.

kace91 23 days ago [-]
It's still an action the user has to perform, which most people won't bother doing (or know how to do it).

I don't think the user of an app should be left to its own devices to ensure its own privacy by outmanoeuvring developers, and giving them tools to do it it's just not good enough.

kevin_thibedeau 23 days ago [-]
That is simply a result of grafting in the revocation mechanism to an OS whose controller doesn't want to enable such freedoms.
jjeaff 23 days ago [-]
Sounds like a good way to cause problems that are extremely difficult to troubleshoot.
steve19 23 days ago [-]
Early versions of android did have a network permission. It was not able to be revoked but at least you knew apps that had no reason to require network access, like early flashlight apps, were not exfiltrating data.

The permission may still exist (it has been a long time since I last wrote an android app) but it is no longer user visible.

AnssiH 23 days ago [-]
It is still there and visible on both Play Store and Settings when you open the full permission list for an app.

It is called "have full network access".

panpanna 23 days ago [-]
This would make things so much safer for everyone but Google has so far refused to do this.

(Android DOES have a network permission, but at some point Google decided it should always be allowed)

UncleMeat 23 days ago [-]
Something like 75% of code in apps nowadays are part of SDKs. Even if an app itself doesn't need network, you need the network for ads and analytics.
shakna 23 days ago [-]
So why not have a network interface that supplies a more fine-grained access, like CSP? (Except hopefully without the godawful syntax).
UncleMeat 23 days ago [-]
Because people have also done science to demonstrate that fine grain permissions don't work for the huge majority of users.
shakna 22 days ago [-]
That fine-grained permission isn't handled by the user. You as a user don't employ CSP.

Rather, when requesting the permission from the OS, the developer has to supply a list of approved scopes and domains, and anything outside of that gets automatically blocked.

No involvement from the user.

userbinator 23 days ago [-]
but at some point Google decided it should always be allowed

Not at all surprising, if you consider Google's motives; they both want to appear like they care about privacy and give you an illusion of control, but at the same time they are ultimately an ad company who profits from the lack thereof. A lot of the decisions they make about their products make a lot of sense from this perspective.

viraptor 23 days ago [-]
That's not a good take for a few reasons:

- apps can use other ad networks than Google, and blocking network access would bring them more profit (higher app cost / more push for in-app spend)

- they can create separate categories for ad traffic and general network traffic

- having ads as a system element and limiting network access would allow them to cut off other ad networks to some extent, bringing more profit (although that's opening the doors to more talks about monopoly)

ignoramous 23 days ago [-]
This has been possible since Android 8, if not before. You could, per app, from the App Info page:

1. Disallow bg internet access.

2. Disallow fg internet access over wifi.

3. Disallow fg internet access over mobile network.

I've been building an app that exposes privacy features like bouncing permissions when apps are in bg (remember AppOps?), firewalling apps by disallowing data usage, setting DNS over TLS to servers that blackhole ads and trackers, show log of network activity, kill bg processes and activities and so on. Hopefully, would be done in a month or so.

You could do all of the above, today, but mostly, manually, by navigating through nested menus and what-not.

Android 10 would make some parts of what I'm building obsolete, and that's a good thing.

dessant 23 days ago [-]
Is it possible that some of the controls for these network permissions you list are not in AOSP, but in a ROM made by the manufacturer of your device?

The ones I've seen had a setting only for restricting background data usage.

ignoramous 23 days ago [-]
I've exercised this setting in Xiaomi, Oppo phones (Realme, Vivo, One Plus included) [0]. Unsure if it is in AOSP, but a user reported that its present in their Pixel running 8.1 [0]?

You could see if NoRoot Firewall (requires VPN) or Glasswire (may or may not require VPN) help you disallow internet access per-app.

[0] https://old.reddit.com/r/oneplus/comments/79g0ue/til_oxygeno...

saagarjha 23 days ago [-]
This might be a Chinese thing: iPhones sold there have an option to disable apps from connecting to WLAN but I haven't seen this on any other SKU.
23 days ago [-]
Someone1234 23 days ago [-]
I have a Pixel 3 with the latest retail release (Android 9/August 1, 2019). I cannot do any of the things you described for any apps via the App Info page.

I have permissions sliders for Camera, Contacts, Location, Microphone, Phone, and Storage. None at all for internet access or any specific network.

The permissions you list don't appear to be part of Android (8 or otherwise) and are likely after-market extensions in your phone's ROM.

hnburnsy 23 days ago [-]
You don't see it under apps & notifications - - > data usage control?
grawprog 23 days ago [-]
I have two options on android 9 on a Motorola g7 background data usage and unrestricted data usage. On allows or disallows background data usage, the other allows full access to data when data saver mode is on. When I go to show all permissions it shows me which apps have full network access but does not allow me the option to toggle it.
hnburnsy 23 days ago [-]
I see from another comment this is from my phone manufacture one plus, thanks to them for that.
Someone1234 23 days ago [-]
That's all I see too.
dingo_bat 23 days ago [-]
Ditto on Galaxy S10.
HenryBemis 23 days ago [-]
Since I never trusted iOS setup that one cannot restrict WiFi access on apps I had a firewall on my (jailbroken iOS). Now on Android I do the same (not trust the OS or the Data/WiFi switches and again I use a firewall to block either Data or WiFi or both.

I also do this for data usage, e.g. Spotify and my podcatcher use Wi-fi while email etc use both data and WiFi.

Edit: in the same spirit I block all free apps that don't require network connectivity such as health/workout apps. I kill all ads, and keep my data within.

Edit2: android firewall is called "NoRoot Firewall"

23 days ago [-]
llarsson 23 days ago [-]
A cheap Huawei phone I had let me do that, right from its Settings! Now I have to use NetGuard for that (no root required).

And this is how I have learned that Google's Calc app apparently wants network access. No thanks!

kerng 23 days ago [-]
Right on! Those are the very features that I'm missing!

It seems super simple to provide that basic level of control to the end user.

I also want shadow/fake address books and location information as a feature.

izacus 23 days ago [-]
This headline is grossly misleading - Android 10 has fixed those 193 vulnerabilities. The title as it is, implies they still need to be fixed.

This kind of content is usually never worded like this for other products, can the moderators fix it?

jm4 23 days ago [-]
Another crap Forbes contributor article. The fix is to ban these posts. These articles have basically zero credibility because they are written by ordinary dopes who pay to have their blogs published on forbes.com. There is no fact checking, no verification of the author’s background and expertise, nothing. You pay and get published and people get the impression it’s “news” because of the Forbes name.
discreditable 23 days ago [-]
Forbes articles are pretty clickbait. I blocked them in Google News because their headlines are bonkers. It's always a formula like

Microsoft issues update warning to 10 gorillion PCs (some super minor problem in the last patch cycle)

10 bazillion Android phones have spyware (some malware app was removed from the play store)

microcolonel 23 days ago [-]
The writing is extremely clumsy, I had to go to the linked post from Google to find out that the author meant that Android releases will no longer be named after desserts.
_asummers 23 days ago [-]
Changing Need --> Needed should be enough.
saagarjha 23 days ago [-]
> Google will now require developers to use resettable identifiers to keep track of users. That way, if these digital fingerprints are ever compromised, or if you want to wipe your digital slate clean, there's a mechanism to do that.

Does this mean device fingerprinting will no longer be allowed?

cameronbrown 23 days ago [-]
It's very difficult to prevent fingerprinting. Google's had the Android advertising ID for ages (which is a unique user resettable identifier) but it's entirely possible to ignore it. I'm not sure if Admob does allow you to set your own custom IDs with your own fingerprinting, but preventing that would go a long way.
olliej 23 days ago [-]
Alas not allowed != not happening. Just look at the eternal grindstone Apple has to go through.
kinow 23 days ago [-]
>The top changes include "scoped storage" to give users more control over files by only allowing Android 10 apps a filtered view of their app-specific directory and specific types of media.

A great change. I don't mind having to spend some time going over each time, making sure the right settings are in place for security and privacy.

The other changes for location and camera access by apps are good too. Just hope the update will include my old-ish device.

panpanna 23 days ago [-]
Seriously, why is this news?

Android 10 is still being worked on, if it was ready it would have been released.

xchaotic 23 days ago [-]
Google fixing vulnerabilities even before the release can only be good news, but one does have to be wonder why a whole class of such vulnerabilities are even allowed after so many releases?
saagarjha 23 days ago [-]
Because software has bugs?
zsrxx 23 days ago [-]
...maybe because they were not discovered before or have been introduced recently?
kerng 23 days ago [-]
Google refuses to do something about arbitrary network connections, most likely due to their ads business model. Their ads require network connections to work!
ezequiel-garzon 23 days ago [-]
Do previous Android versions have these vulnerabilities?
tssva 23 days ago [-]
The headline is misleading. These vulnerabilities are not in Android 10 but are fixed by Android 10. Which of course means they exist in versions prior to Android 10. Google provides security updates for prior versions so what is not clear from the article is whether these are only fixed by upgrading to Android 10 or whether they were identified during the Android 10 development process but fixes will also be available for prior versions.
hn_throwaway_99 23 days ago [-]
> These vulnerabilities are not in Android 10 but are fixed by Android 10. Which of course means they exist in versions prior to Android 10.

That's not accurate. Android 10 is still in beta, so many of these vulnerabilities (just like many other bugs you'll see in a beta) are likely new to Android 10, and will be fixed before the final release.

HillaryBriss 23 days ago [-]
my take on the headline is that Q fixes vulnerabilities that exist in pre-Q versions. this means that those vulnerabilities are still in effect for the vast majority of current users, and will be for some time since it will take years before Q is actually being run by the majority of android devices. the vulnerabilities are very much alive.
surak 23 days ago [-]
We can still not sandbox apps access to data by default. Numerous academic projects have show how this can be implemented, e.g. by fudging data when details are not needed. Also, in order to get these security fixes I have to buy a new device from one of their partners.. Google has failed society by advancing surveillance capitalism to the extreme.
panpanna 23 days ago [-]
I don't think you have really used Android lately.

1. Google has added API to access resources without getting full unconditional access

2. They are enforcing use of correct APIs on their store

3. Most of the system is now updated from the store. This is significantly faster than any of their competitors

4. Most vendors are now providing timely security updates. Some even have an Enterprise program with 4-5 years of updates.

surak 23 days ago [-]
I use it every day. Regarding P1, if an app ask for permission access to e.g. images or location, and you use the app, how would you limit what the app can send home or even review it? See discussion in the other comments if you're not an Andriod developer.
vetinari 23 days ago [-]
Since Android v1, it offers APIs (intents) for picking items belonging to other apps or doing an action on behalf of other apps.

Applications do not need access to gallery; they can ask the gallery to let the user pick the pictures he wants to work with; the app does not need the access to camera, it can ask the default camera app to let the user make the photo and get the result. The app does not need access to telephony; it can ask dialer to dial a number on it's behalf. Etc, etc.

The developers didn't use these APIs because users were asking for iOS style integrations, where any apps does everything for itself, instead of using system components. So they got it.

Already__Taken 23 days ago [-]
my android one branded Nokia has had a decent amount of updates and my partner's last few Motos. it's getting better for Android slowly
surak 23 days ago [-]
Going after a subset of low end devices seems a bit off-putting to me. A-One should be mandatory, but most manufacturers are hooked on adding bloatware to track you.
close04 23 days ago [-]
Google is really doubling down on privacy right on the heels of repeated scandals. Wonder if i will last longer than customer's memory of said scandals before they go back to the business model that brings them the money.
WilTimSon 23 days ago [-]
As long as we get to reap the benefits at least for a bit - I'm happy. Plus, I always find that a bad company/product trying to do better often spurs on superior competitors. WhatsApp has been rubbish for a while now and so better messengers like Wire, Telegram, Signal etc. have appeared. Maybe someone will use Google's new privacy-related advances to improve their service as well.
microcolonel 23 days ago [-]
The move to a joyless, bland release naming scheme in order to appease a perceived mass of illiterate rubes who somehow care about their Android version but can't read past the name of a dessert...

To me it is another signal of the erasure of cultural flavour at the company; the pivot to a base, power-chasing, stifling corporatist death march toward nowhere of interest.