You're correct, but there's a good reason: they need to draw over other apps to do what they do. So it's not necessarily nefarious. But it is an excellent reason to build the functionality into the OS.
(The reason the permission is so dangerous is they can trick you into pressing the wrong button by relabeling dangerous text with innocuous text.)
The presence of a good reason is exactly why you have to be so careful. Creating an app with a legitimate reason to request permission, only to also abuse it, is a great strategy for an attacker.
Absolutely, which is why I really appreciate the network permission on GrapheneOS. It makes me more comfortable to allow other permissions knowing no data can be exfiltrated.
It's wild to me that "internet access" is not revokable or even displayed in the Play Store in stock Android. It's such a huge security and privacy concern, even if most apps semi-legitimately need it.
Or, it would be wild, if it weren't fairly obvious that this is just Google protecting their mobile ad revenue.
More than half of the ones I have installed have no internet access. Most because they don't have the permission (thanks, F-Droid!) and the rest because I've rejected that permission (thanks, GrapheneOS!)
Well, that depends on the other apps you have installed. Unless things have changed in newer versions, apps with no networking can still do IPC, so any app can for example use Cronet to make network requests via Google Play Services, regardless of the toggle, as long as sandboxed Google Play Services has network permission.
Mostly asking it as a question, given that graphene runs Google play services (optionally) as a normal, sandboxed service with no special permissions might help a bit, but I guess unless you disable networking for every other service installed, this is sort of impossible to plug 100%? IPC can be quite the security hole.
And it even fails in the way that apps will see no-wifi and believe the entire device is offline. That way they can't detect it and mess around without harming regular offline users.
You're correct, but there's a good reason: they need to draw over other apps to do what they do. So it's not necessarily nefarious. But it is an excellent reason to build the functionality into the OS.
(The reason the permission is so dangerous is they can trick you into pressing the wrong button by relabeling dangerous text with innocuous text.)
The presence of a good reason is exactly why you have to be so careful. Creating an app with a legitimate reason to request permission, only to also abuse it, is a great strategy for an attacker.
Absolutely, which is why I really appreciate the network permission on GrapheneOS. It makes me more comfortable to allow other permissions knowing no data can be exfiltrated.
It's wild to me that "internet access" is not revokable or even displayed in the Play Store in stock Android. It's such a huge security and privacy concern, even if most apps semi-legitimately need it.
Or, it would be wild, if it weren't fairly obvious that this is just Google protecting their mobile ad revenue.
There's basically zero apps without some sort of analytics nowadays.
More than half of the ones I have installed have no internet access. Most because they don't have the permission (thanks, F-Droid!) and the rest because I've rejected that permission (thanks, GrapheneOS!)
That's fine. The OS should still let me turn off all outbound network connections for an app.
Apps that are solely relying on analytics still tend to function when the analytics are unreachable.
Well, Google is the advertisement company.
>no data can be exfiltrated.
Well, that depends on the other apps you have installed. Unless things have changed in newer versions, apps with no networking can still do IPC, so any app can for example use Cronet to make network requests via Google Play Services, regardless of the toggle, as long as sandboxed Google Play Services has network permission.
Good point and thanks for the heads up.
Mostly asking it as a question, given that graphene runs Google play services (optionally) as a normal, sandboxed service with no special permissions might help a bit, but I guess unless you disable networking for every other service installed, this is sort of impossible to plug 100%? IPC can be quite the security hole.
Yep, nothing has changed yet. GOS project still has this in the road map, but as of now Inter Profile Sharing still works.
Agreed.
Network permissions could be used to avoid ads on Android. The horror!
And it even fails in the way that apps will see no-wifi and believe the entire device is offline. That way they can't detect it and mess around without harming regular offline users.