Do not really understand how Android sandboxing works for system apps.

  • onlinepersona@programming.dev
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    In order to have google apps and google services on an android installation that doesn’t have them yet, you need to sideload them. LineageOS has a list of GApps zips and here’s an example of how to install them for a FairPhone running LineageOS.

    If you look into the zip /system/system_ext/etc/permissions/privapp-permissions-google-system-ext.xml, you can see all the permissions given to it a system application.

    android.permission.RECOVERY, android.permission.MANAGE_USERS, android.permission.INTERACT_ACROSS_USERS stand out the most. These permissions allow the phone to be started, arbitrary apps to be installed and users to be created with new permissions.

    Google Services doesn’t need to have access to camera or any other component as it can install whatever it likes that has access to those.

    Let’s not kid ourselves, if you have Google Services installed, you have a rootkit installed with a bunch of proprietary code.

    Here’s the entire file for reference and you can look up each permission individually to see what access will be given.

    
    
    
        
            
            
            
            
        
    
        
            
            
            
        
    
        
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
        
    
        
            
        
    
        
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
        
    
    
    • FarLine99@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      Thanks for the detailed response. Creating/interacting between new users is a serious opportunity for permission bypass. Content of the file won’t load for some reason, but still :)