upvote

points

by reorder969511 hours ago |
comments
upvoteby microtonal11 hours ago|
next
[-]
It's nice to be able to toggle it (it's also possible to revoke this permission on GrapheneOS). However, it is imperfect, since apps within the same profile can still communicate through IPC, so if apps cooperate, network access can still be achieved. I would guess that Play Services is one of the larger offenders, since many apps communicate with Play Services and as far as I understand (but I may be mistaken) Play Services does work that involves internet access on behalf of other apps.

You could of course disable network access to Play Services, but at least for me that broke a bunch of apps or made them unreliable.

What AOSP ROMs need besides the network permission toggle is IPC scopes functionality, akin to storage scopes.

reply
upvoteby inigyou7 hours ago|
parent|
next
[-]
GrapheneOS has user profiles, but they're too heavyweight for most uses.
reply
upvoteby Hoodedcrow1 hours ago|
parent|
[-]
Profiles are a thing in "stock" Android too, they just don't have the toggle to disallow them working in the background, the "Install available apps" option and Google services also keep working across profiles.

If you want something less disruptive for isolation, there's Private Space. What I like is that this can stop apps there from working in the background on stock Android as well.

reply
upvoteby ignoramous9 hours ago|
parent|
prev|
[-]
> However, it is imperfect, since apps within the same profile can still communicate through IPC, so if apps cooperate, network access can still be achieved.

Folks brings up 'IPC' as if this is some chink in the armour in AOSP. It isn't. 'Apps' pretty much on most consumer OSes can 'IPC' their way with other co-operating apps to 'achieve' network access from behind a firewall, just the same.

> since many apps communicate with Play Services and as far as I understand (but I may be mistaken) Play Services does work that involves internet access on behalf of other apps

If the OS or its privileged component will fchown the socket to the origin app, think the INTERNET permission will be enforced as expected.

reply
upvoteby saagarjha7 hours ago|
parent|
[-]
There is very little IPC that is allowed for apps that do not share a development team on iOS.
reply
upvoteby ignoramous7 minutes ago|
parent|
[-]
> There is very little IPC

I am not familiar with iOS internals, but does "very little IPC" mean "zero IPC"? Because if we are talking IPC in the context of bypassing permission checks, I imagine, 'very little' doesn't cut it?

reply
upvoteby inigyou7 hours ago|
prev|
next
[-]
GrapheneOS not only has this permission, but it asks you every time you install an app.
reply
upvoteby Hoodedcrow8 hours ago|
prev|
[-]
Can confirm Graphene also has it
reply