
Android 10: Google Confirms 193 Security Vulnerabilities Need Fixing - kerng
https://www.forbes.com/sites/daveywinder/2019/08/23/android-10-google-confirms-193-security-vulnerabilities-need-fixing/#3a94f6c9616b
======
dessant
A revocable permission for network access on Android would be a great step
towards giving users more control over which apps can transmit their personal
data.

An entire class of apps could be rendered safe by disallowing network access,
especially the ones that do work offline, but are keen to phone home.

~~~
ignoramous
This has been possible since Android 8, if not before. You could, per app,
from the _App Info_ page:

1\. Disallow bg internet access.

2\. Disallow fg internet access over wifi.

3\. Disallow fg internet access over mobile network.

I've been building an app that exposes privacy features like bouncing
permissions when apps are in bg (remember AppOps?), firewalling apps by
disallowing data usage, setting DNS over TLS to servers that blackhole ads and
trackers, show log of network activity, kill bg processes and activities and
so on. Hopefully, would be done in a month or so.

You could do all of the above, today, but mostly, manually, by navigating
through nested menus and what-not.

Android 10 would make some parts of what I'm building obsolete, and that's a
good thing.

~~~
Someone1234
I have a Pixel 3 with the latest retail release (Android 9/August 1, 2019). I
cannot do any of the things you described for any apps via the App Info page.

I have permissions sliders for Camera, Contacts, Location, Microphone, Phone,
and Storage. None at all for internet access or any specific network.

The permissions you list don't appear to be part of Android (8 or otherwise)
and are likely after-market extensions in your phone's ROM.

~~~
hnburnsy
You don't see it under apps & notifications - - > data usage control?

~~~
grawprog
I have two options on android 9 on a Motorola g7 background data usage and
unrestricted data usage. On allows or disallows background data usage, the
other allows full access to data when data saver mode is on. When I go to show
all permissions it shows me which apps have full network access but does not
allow me the option to toggle it.

~~~
hnburnsy
I see from another comment this is from my phone manufacture one plus, thanks
to them for that.

------
izacus
This headline is grossly misleading - Android 10 has fixed those 193
vulnerabilities. The title as it is, implies they still need to be fixed.

This kind of content is usually never worded like this for other products, can
the moderators fix it?

~~~
jm4
Another crap Forbes contributor article. The fix is to ban these posts. These
articles have basically zero credibility because they are written by ordinary
dopes who pay to have their blogs published on forbes.com. There is no fact
checking, no verification of the author’s background and expertise, nothing.
You pay and get published and people get the impression it’s “news” because of
the Forbes name.

~~~
discreditable
Forbes articles are pretty clickbait. I blocked them in Google News because
their headlines are bonkers. It's always a formula like

Microsoft issues update warning to 10 gorillion PCs (some super minor problem
in the last patch cycle)

10 bazillion Android phones have spyware (some malware app was removed from
the play store)

------
saagarjha
> Google will now require developers to use resettable identifiers to keep
> track of users. That way, if these digital fingerprints are ever
> compromised, or if you want to wipe your digital slate clean, there's a
> mechanism to do that.

Does this mean device fingerprinting will no longer be allowed?

~~~
cameronbrown
It's very difficult to prevent fingerprinting. Google's had the Android
advertising ID for ages (which is a unique user resettable identifier) but
it's entirely possible to ignore it. I'm not sure if Admob does allow you to
set your own custom IDs with your own fingerprinting, but preventing that
would go a long way.

------
kinow
>The top changes include "scoped storage" to give users more control over
files by only allowing Android 10 apps a filtered view of their app-specific
directory and specific types of media.

A great change. I don't mind having to spend some time going over each time,
making sure the right settings are in place for security and privacy.

The other changes for location and camera access by apps are good too. Just
hope the update will include my old-ish device.

------
panpanna
Seriously, why is this news?

Android 10 is still being worked on, if it was ready it would have been
released.

------
xchaotic
Google fixing vulnerabilities even before the release can only be good news,
but one does have to be wonder why a whole class of such vulnerabilities are
even allowed after so many releases?

~~~
saagarjha
Because software has bugs?

------
kerng
Google refuses to do something about arbitrary network connections, most
likely due to their ads business model. Their ads require network connections
to work!

------
ezequiel-garzon
Do previous Android versions have these vulnerabilities?

~~~
tssva
The headline is misleading. These vulnerabilities are not in Android 10 but
are fixed by Android 10. Which of course means they exist in versions prior to
Android 10. Google provides security updates for prior versions so what is not
clear from the article is whether these are only fixed by upgrading to Android
10 or whether they were identified during the Android 10 development process
but fixes will also be available for prior versions.

~~~
hn_throwaway_99
> These vulnerabilities are not in Android 10 but are fixed by Android 10.
> Which of course means they exist in versions prior to Android 10.

That's not accurate. Android 10 is still in beta, so many of these
vulnerabilities (just like many other bugs you'll see in a beta) are likely
new to Android 10, and will be fixed before the final release.

------
surak
We can still not sandbox apps access to data by default. Numerous academic
projects have show how this can be implemented, e.g. by fudging data when
details are not needed. Also, in order to get these security fixes I have to
buy a new device from one of their partners.. Google has failed society by
advancing surveillance capitalism to the extreme.

~~~
panpanna
I don't think you have really used Android lately.

1\. Google has added API to access resources without getting full
unconditional access

2\. They are enforcing use of correct APIs on their store

3\. Most of the system is now updated from the store. This is significantly
faster than any of their competitors

4\. Most vendors are now providing timely security updates. Some even have an
Enterprise program with 4-5 years of updates.

~~~
surak
I use it every day. Regarding P1, if an app ask for permission access to e.g.
images or location, and you use the app, how would you limit what the app can
send home or even review it? See discussion in the other comments if you're
not an Andriod developer.

~~~
vetinari
Since Android v1, it offers APIs (intents) for picking items belonging to
other apps or doing an action on behalf of other apps.

Applications do not need access to gallery; they can ask the gallery to let
the user pick the pictures he wants to work with; the app does not need the
access to camera, it can ask the default camera app to let the user make the
photo and get the result. The app does not need access to telephony; it can
ask dialer to dial a number on it's behalf. Etc, etc.

The developers didn't use these APIs because users were asking for iOS style
integrations, where any apps does everything for itself, instead of using
system components. So they got it.

------
close04
Google is really doubling down on privacy right on the heels of repeated
scandals. Wonder if i will last longer than customer's memory of said scandals
before they go back to the business model that brings them the money.

~~~
WilTimSon
As long as we get to reap the benefits at least for a bit - I'm happy. Plus, I
always find that a bad company/product trying to do better often spurs on
superior competitors. WhatsApp has been rubbish for a while now and so better
messengers like Wire, Telegram, Signal etc. have appeared. Maybe someone will
use Google's new privacy-related advances to improve their service as well.

------
microcolonel
The move to a joyless, bland release naming scheme in order to appease a
perceived mass of illiterate rubes who somehow care about their Android
version but can't read past the name of a dessert...

To me it is another signal of the erasure of cultural flavour at the company;
the pivot to a base, power-chasing, stifling corporatist death march toward
nowhere of interest.

