app communication/visibility scopes for non-system components

[Titaniumtown]

This would be a great addition and would allow a more robust isolation of apps from eachother! Hope to see this added in the future.

[MichaelDevon]

Kind of related: Can apps grab the colors from the user's wallpaper directly, or they can only read the active material 3 color theme? If they can access the wallpaper colors via some kind of API then it would be a good idea to allow users (via a toggle) to set any backgroud without worrying about fingerprinting via wallpaper, and providing apps with a pure black value when requested. This is of course useless if apps only see the active color theme because then users can just select the monochrome one.

[lbschenkel]

I'm not sure if in scope for this feature, but please take a look at https://discuss.grapheneos.org/d/13006-nordea-mobile-danish-claims-malicious-software-running/30 and consider implementing limits on how apps can enumerate each other, especially accessibility apps.

In the Nordics some well-known apps started to abuse this capability by enumerating the accessibility apps, and refusing to work if they see anything that they don't like — pure security theater, of course. The Nordea app is an egregious case of refusing to work even if a "bad" app (in this case Talkback) is off — just being installed is enough.

Otherwise I can create a separate feature request, if warranted.

[thestinger]

There are already current limits on apps detecting and communicating with other apps via profiles. Controlling that within profiles is what this feature is about. We don't need another issue.

[thestinger]

@lbschenkel It's not going to make any difference in this case because TalkBack is a system app. It's ridiculous to refuse to run because of a standard open source accessibility service that's also used in every Google certified Android build with Google's build. Talk to the developers of these apps.

[lbschenkel]

@lbschenkel It's not going to make any difference in this case because TalkBack is a system app. It's ridiculous to refuse to run because of a standard open source accessibility service that's also used in every Google certified Android build with Google's build. Talk to the developers of these apps.

As usual, I know it's ridiculous and I know it's not GrapheneOS fault. But all these sandboxing features (in the same profile) are about an adversary relation with the apps in some degree, and enumeration of apps is yet another thing being abused in the name of security theater. Therefore it could be useful for the user to have some knobs that limit app enumeration to keep these apps at bay. Maybe it could fit the work you're doing. Something to think about, that's all I'm saying.

P.S.: Nordea app works on a Google certified phone. I just checked it myself. The app is closed source so I can only speculate at what it does, but I'm presuming that they are checking the app signature and only accepting the Google version, not the AOSP one. That is beyond the pale, of course.