

Saurik releases Substrate for Android - tar
http://www.cydiasubstrate.com/

======
StavrosK
This is probably completely off-topic, but could this be used to create the
ability to deny permissions to applications? As a privacy-sensitive person, I
would like to prevent some applications from receiving certain permissions,
while still using them (for example, why should a game have access to my
contacts?), but Android doesn't provide that functionality.

Would this be possible/viable with this framework? I might give it a shot, if
so.

~~~
apendleton
Not answering your question, but applications for Android are generally
written with the assumption that they have whatever permissions they requested
at install time, and may behave unpredictably if calls to things that are
supposed to have already been authorized raise exceptions. I would expect that
if you managed to do this, lots of applications would crash.

~~~
StavrosK
I'm pretty sure you could fake most permissions convincingly. After all, how
is an app to know that that empty contact list or those GPS coordinates on the
top of mount Everest aren't actually real?

~~~
yareally
There's been a few mods out on xda for at least a year or two that let you
fake most permissions per app so the app would think it was getting legit data
and not just blindly crash if it was denied the data totally. I think one was
built into MIUI and could also be used standalone. The other one I can't
recall the name, but if I think of it I will edit my post in a bit. Both had
their source out though so you could mod them.

Cyanogenmod 7 tried to totally deny permissions for apps and it was not a good
idea. It resulted in apps crashing a lot. Also the reason they didn't continue
to do it in Cyanogenmod 9 and 10. Faking permissions is definitely the way to
go though.

edit: pdroid was the other (<http://forum.xda-
developers.com/showthread.php?t=1357056>)

~~~
616c
Pdroid is fantastic. I waste time patching my ROM every time I need to upgrade
with that tool. The amount of information you can disable or manipulate to
hand to app providers is amazing.

I think Android would have much better cred in the geek community if this was
standard, but the legal and business hoops it jumps around and out of make it
a pipe dream. I will say when I meet Infosec guys in my area and show them
that app, even the iPhone guys are impressed and want to know how to get it if
they got Android phones.

~~~
StavrosK
What legal and business hoops are you talking about? I can't see any legal
problem with Android letting me disable my own permissions...

------
randallu
Looks a lot like XposedFramework:

[https://github.com/rovo89/XposedBridge/wiki/Development-
tuto...](https://github.com/rovo89/XposedBridge/wiki/Development-tutorial)

Xposed has allowed me to iterate much more rapidly on framework tweaks, and
also keep them much cleaner (since now I just have the "hooks" instead of
directly changing Android framework). Also, I can run on more devices because
I don't have to replace some framework JAR which the vendor tweaked
substantially.

~~~
britta
saurik wrote a comparison of Xposed and Substrate that may be interesting to
you:
[http://www.cydiasubstrate.com/id/34058d37-3198-414f-a696-73e...](http://www.cydiasubstrate.com/id/34058d37-3198-414f-a696-73e97e0a80db/)

> _That said, at some level the libraries are fairly similar: the core
> mechanism by which a method is hooked in Xposed (swapping it out for a JNI
> implementation) is actually the same one that I described in the talk I gave
> on Substrate at a conference called Android Open in 2011. The result is that
> there are some similarities in the functionality offered by the two
> frameworks._

> _Thankfully, Substrate's injection mechanism does not conflict with the one
> used by Xposed: therefore, if users or developers would like to have both
> frameworks installed, that is actually possible. There are some places where
> the two libraries "disagree" (such as Xposed totally removing the Java
> security model that Substrate preserves), but the resulting behavior is
> harmless._

------
hayksaakian
Upon further reading, I noticed the true purpose of this seemingly allows apps
to extend outside their sandbox and violate the intent model in terms of how
they interact.

Not sure why this is a GOOD idea though...

\----- original:

As someone with a rooted galaxy nexus on cm10.1, why is this of interest to
me?

I understood that cydia was an app store alternative that only could exist on
rooted/jailbroken iOS. Android has no such restrictions about app stores; what
value does this actually add?

This is based on reading every word of the linked to page...

~~~
britta
For an example of what Substrate can do, saurik also released Winterboard for
Android today
([https://play.google.com/store/apps/details?id=com.saurik.win...](https://play.google.com/store/apps/details?id=com.saurik.winterboard)):

> _WinterBoard is a "theme engine" that allows you to use the numerous themes
> you may find in the Google Play Store on your device without having to
> install custom ROMs or use custom launchers. It allows you to use almost any
> launcher icon theme with your stock launcher and supports "Theme Chooser"
> themes without CyanogenMod._

Winterboard is for customizing graphics with more flexibility; it's not
messing with how apps work.

You could also imagine people developing a collection of Substrate extensions
that each implement a specific launcher customization, so that you can build
up your desired set of customizations one-by-one instead of trying to choose
between several launchers that each have parts of what you want.

------
anonyfuss
No. No no no no no no.

There's nothing wrong with hacks. There's nothing wrong with runtime patching.
If you know what you're doing, then you know why you shouldn't do it, and thus
you're well equipped to do it anyway.

There _IS_ something wrong with bundling up hacks and runtime patches into a
simple user-friendly installer that leads users to believe that they will work
and are safe. When the hacks fail (and they will), it happens in ways that
leave users confused, frustrated, and blaming us -- the developers of the
applications that your hacks crash.

Bug reports from people who use Mobile Substrate are a _massive waste of time
and user goodwill_. They pollute our crash reporting system, they make users
think our software is broken, and they result in bad reviews in the app store.

You've just made life more ugly for every ISV that supports Android -- and our
users -- after doing the same to us on iOS for years.

~~~
wvenable
Your app doesn't work on my jailbroken iPhone I'm not going to leave a poor
review but I will still think it reflects poorly on your software.

~~~
thefreeman
He's not just referring to a jailbroken phone. From what I gather, the main
purpose of Substrate is to allow apps to monkey patch functionality in other
apps. I can see how this could be frustrating if users report issues that are
actually caused by another app "hacking" the reported app.

~~~
wvenable
The primary purpose of jailbreaking your phone is to run tweaks that use
MobileSubstrate. I think Saurik himself has said Cydia only contains a handful
of "apps" everything else is a tweak.

Unless the author has written an app badly in need of a tweak specifically
targeting it, I doubt it's being patched directly.

