Peter-Easton/NSA Social & AndroMail

## NSA Social & AndroMail
2021-02-26 20:40:44	@TheJollyRoger	slkhgdhb3151[m]: Ah, you're talking about Inter-Process Communication?
2021-02-26 20:41:25	@TheJollyRoger	So, the way Inter-Process Communication works on Android is that apps can mutually whitelist each other for interprocess communication.
2021-02-26 20:41:42	-->	user1HFT37N (~user1HFT3@cpc91234-cmbg18-2-0-cust140.5-4.cable.virginm.net) has joined #grapheneos-offtopic
2021-02-26 20:41:42	@TheJollyRoger	I'll go back to one of my old examples, I like retelling this story:
2021-02-26 20:41:56	@TheJollyRoger	Let's say I have five apps installed in my main profile:
2021-02-26 20:42:01	slkhgdhb3151[m]	<TheJollyRoger "slkhgdhb3151: Ah, you're talking"> Not sure what I am talking about! :-D Let's drop that question for now. Let's me read a bit more and better understand what I read. I will be able to come back with clearer questions!! ;-)
2021-02-26 20:42:18	<--	user1HFT37N (~user1HFT3@cpc91234-cmbg18-2-0-cust140.5-4.cable.virginm.net) has quit (Remote host closed the connection)
2021-02-26 20:42:20	@TheJollyRoger	Well, heh, maybe I can break this down...
2021-02-26 20:42:28	@TheJollyRoger	let's say I have five apps in a profile called Alice.
2021-02-26 20:42:44	@TheJollyRoger	I'll call them SecureChat, AndroMail, AndroCrypt, NSASocial, and NSAChat.
2021-02-26 20:42:51	slkhgdhb3151[m]	<TheJollyRoger "Well, heh, maybe I can break thi"> If you're ok to take the time, i'm happy to read you!
2021-02-26 20:42:55	@TheJollyRoger	*SecureText, AndroMail
2021-02-26 20:44:10	@TheJollyRoger	We'll say SecureText is an encrypted messaging app, AndroMail is a mail client, and AndroCrypt is an encryption program. We'll say that NSASocial is an alternate reality game that allows you to take pictures of your face, and make a cartoon avatar of yourself, and NSAChat is a social networking/multiuser chat app.
2021-02-26 20:44:38	@TheJollyRoger	So, sound about clear?
2021-02-26 20:44:46	slkhgdhb3151[m]	yep!
2021-02-26 20:45:21	@TheJollyRoger	Now, let's say that I don't want my face going to the NSA, so before I run NSASocial, I open up the app permissions and set NETWORK permission to "Deny."
2021-02-26 20:45:32	@TheJollyRoger	But obviously, I can't take a picture of my face without the camera.
2021-02-26 20:46:13	@TheJollyRoger	Similarly, let's say I don't want NSAChat to access the camera while I chat on it, but a multiuser chat app isn't very useful without network, so I allow it the Network permission.
2021-02-26 20:46:43	@TheJollyRoger	Now... the developers of NSAChat, and the developers of NSASocial have secretly cut a deal behind my back.
2021-02-26 20:47:23	@TheJollyRoger	Behind closed doors they've agreed that they will conspire to exfiltrate data and spy on users, so they whitelist each other's apps for Interprocess Communication.
2021-02-26 20:47:39	@TheJollyRoger	This means that while they can't see into each other's private application data directly, they can request the other app share stuff with them.
2021-02-26 20:48:08	@TheJollyRoger	So this means that let's say I took a picture of my face so I could make a cartoon portrait of myself using NSA Social, which is sharing data with NSA Chat.
2021-02-26 20:48:35	@TheJollyRoger	NSASocial then passes the picture to NSAChat, which then exfiltrates it.
2021-02-26 20:48:41	@TheJollyRoger	However,
2021-02-26 20:49:08	@TheJollyRoger	Even though AndroMail and AndroCrypt both have whitelisted each other - AndroMail recieves messages, and Androcrypt decrypts or encrypts them -
2021-02-26 20:49:13	-->	b1101 (~b1101@fsf/member/b1101) has joined #grapheneos-offtopic
2021-02-26 20:49:32	@TheJollyRoger	No matter how much NSAChat and NSASocial beg and plead, AndroCrypt and AndroMail won't allow InterProcess Communication with the bad apps.
2021-02-26 20:49:47	@TheJollyRoger	Not without their developers becoming complicit.
2021-02-26 20:50:08	@TheJollyRoger	if SecureText has not listed *any* apps for interprocess communication, it doesn't even enter this equation.
2021-02-26 20:51:56	@TheJollyRoger	Now, let's say I find out about another app, called NSASingAlong.
2021-02-26 20:52:25	@TheJollyRoger	Which is an app that listens to music in the background, and when it hears a popular song on the radio, it downloads the lyrics and displays them on your phone.
2021-02-26 20:52:33	slkhgdhb3151[m]	<TheJollyRoger "No matter how much NSAChat and N"> Got it! So the point amounts to: Is there a way to know which apps can communicate with which others?
2021-02-26 20:53:17	@TheJollyRoger	slkhgdhb3151[m]: there is. I believe if you open up the .apks using an archive reader, you can see the contents of the manifest, but unfortunately, my knowledge ends there, I don't know which files to look at.
2021-02-26 20:53:46	@TheJollyRoger	At one point, GrapheneOS planned to expose a permission for interprocess communication to the user, but that's more code the developers would need to maintain... so we'd need more hands for that.
2021-02-26 20:53:57	@TheJollyRoger	So we put it in our issue tracker as an enhancement.
2021-02-26 20:54:05	@TheJollyRoger	So - to continue this example...
2021-02-26 20:54:31	@TheJollyRoger	Let's say that I'm kind of leery of NSASingAlong, because it has access to the microphone.
2021-02-26 20:54:38	slkhgdhb3151[m]	<TheJollyRoger "So we put it in our issue tracke"> Oh, so the idea already exist? Great!
2021-02-26 20:54:44	@TheJollyRoger	Yep!
2021-02-26 20:54:45	slkhgdhb3151[m]	<TheJollyRoger "So - to continue this example..."> Please do! :-)
2021-02-26 20:54:54	@TheJollyRoger	So I create a profile called "Bob" and install NSASingAlong into "Bob."
2021-02-26 20:56:00	@TheJollyRoger	Even if I grant NSASingAlong access to the microphone, and to the network so it can do its work, even though NSAChat and NSASocial are still there on my phone, because it's in a separate profile, it can't reach NSAChat and NSASocial for interprocess communication.
2021-02-26 20:56:07	@TheJollyRoger	That's very strictly forbidden by the profile functionality.
2021-02-26 20:56:38	ismellcap45[m]	Smart dude
2021-02-26 20:56:39	@TheJollyRoger	The profile functionality doesn't give us any "extra" sandboxing or hardening, but it does allow us to contextualize what workspaces we have where.
2021-02-26 20:57:30	@TheJollyRoger	So for instance, let's say that NSASingAlong has a sister app called "NSAMyRadio" which allows you to sing along with your contacts over the phonewhen you hear a popular song on the radio.
2021-02-26 20:58:14	@TheJollyRoger	If I install NSAMyRadio into Bob's profile, it gets access to Bob's contacts, but it won't get access to Alice's.
2021-02-26 20:58:48	@TheJollyRoger	To NSAMyRadio, and NSASingAlong, as far as they're concerned, they can't enumerate NSASocial and NSAChat, because those exist in a different profile.
2021-02-26 20:58:59	@TheJollyRoger	All the apps, across the different profiles, are all sandboxed the same way.
2021-02-26 20:59:33	@TheJollyRoger	However, NSASingalong and NSAMyRadio are in a separate /workspace/ and exist outside of the workspace that  NSAChat, NSASocial, and AndroChat, andAndroMail, and SecureText do.
2021-02-26 21:00:04	@TheJollyRoger	Even though the good app SecureText exists in the same workspace that the evil apps NSAChat and NSASocial do, those apps are still sandboxed.
2021-02-26 21:00:43	@TheJollyRoger	Hope this simplifies things a little bit?
2021-02-26 21:01:14	slkhgdhb3151[m]	Excellent example, thank you for that!!
2021-02-26 21:02:31	@TheJollyRoger	You're welcome!
2021-02-26 21:03:29	@TheJollyRoger	I like to use very obvious names for convenience, but now I'd find it hilariously ironic if the NSA actually did make an alternate reality game where you could take pictures of people's faces and make them into cartoon avatars XD
2021-02-26 21:03:31	slkhgdhb3151[m]	So I guess, until the interprocess communications between apps is coded in GrapheneOS, we have no way to find out if an app is malicious?
2021-02-26 21:03:32	slkhgdhb3151[m]	I mean: we can cut the "network" permission but, as in your example, that would not be efficient to prevent a leak if we don't know how the app can communicate?
2021-02-26 21:05:27	@TheJollyRoger	Well... there is, I think you can unzip the app and check the manifest, but I don't actually know how to do that.
2021-02-26 21:05:29	@TheJollyRoger	Not yet.
2021-02-26 21:06:03	slkhgdhb3151[m]	<TheJollyRoger "Well... there is, I think you ca"> Well, yes. But that's out of my reach too!! :-)
2021-02-26 21:06:07	@TheJollyRoger	Yeah X(
2021-02-26 21:07:12	@TheJollyRoger	At this moment, if you're unsure of an app being malicious, you can install it into another profile. However, for some applications, Interprocess Communication is a very desirable feature; I like to use the example of AndroMail and AndroCrypt as one such example where this kind of functionality is desirable.
2021-02-26 21:08:08	@TheJollyRoger	And if one of the two apps isn't opting into it, then interprocess communication is not possible.
2021-02-26 21:08:10	 *	slkhgdhb3151[m] sent a long message:  < https://matrix.org/_matrix/media/r0/download/matrix.org/myFDRmPfYaJdwsZkrizjtLEv/message.txt >
2021-02-26 21:08:54	@TheJollyRoger	Yeah... exposing the toggle for Interprocess communication will be nice, we just need to find people who can maintain the code for it.
2021-02-26 21:09:19	@TheJollyRoger	Since if we don't, and the code starts to rot, it could cause breakages at best, or vulnerabilities at worst.
2021-02-26 21:09:41	<--	poisonou1 (~hydra@bras-base-otwaon234vw-grc-04-70-51-64-53.dsl.bell.ca) has quit (Ping timeout: 272 seconds)
2021-02-26 21:10:30	@TheJollyRoger	But take heart: if I had NSASocial on my phone, and AndroMail, even if NSASocial listed *all the apps in the world*,
2021-02-26 21:10:42	slkhgdhb3151[m]	At this moment, if you're unsure of an app being malicious, you can install it into another profile > Sure. The thing is, if I want to apply strict security measures, I would doubt each and any application until proven trustworthy.
2021-02-26 21:10:46	@TheJollyRoger	*NSASocial whitelisted
2021-02-26 21:11:20	@TheJollyRoger	If AndroMail, AndroCrypt, and SecureText isn't willing to become complicit in NSASocial's espionage, then NSASocial can't communicate with any of them.
2021-02-26 21:11:31	@TheJollyRoger	Even if AndroMail and AndroCrypt communicate with each other.
2021-02-26 21:11:56	-->	voidzzz[m] (voidzzzmat@gateway/shell/matrix.org/x-dlvcaucjrtomubeu) has joined #grapheneos-offtopic
2021-02-26 21:12:00	slkhgdhb3151[m]	Yeah, the agreement needs to be bi-directional, that's a reassuring point!!
2021-02-26 21:12:04	@TheJollyRoger	Yep!
2021-02-26 21:12:54	@TheJollyRoger	slkhgdhb3151[m]: well, take heart! The attitude that Android's developers took with applications is still very pragmatic; the attitude there was that back then, Android's developers realized that apps would be coming from many hetrogenous, and many different sources, many of which would't really be trustworthy. So Android is designed, to an extent, to distrust the apps somewhat.
2021-02-26 21:13:45	slkhgdhb3151[m]	that's good news!
2021-02-26 21:14:28	@TheJollyRoger	Yeah. All the apps run in their own sandboxes, it's really elegant.
2021-02-26 21:15:25	@TheJollyRoger	I gotta run for a bit, but! I'll be around!
2021-02-26 21:16:13	slkhgdhb3151[m]	Thanks for all your answers!!
2021-02-26 21:17:31	@TheJollyRoger	Anytime!
2021-02-26 21:17:38	@TheJollyRoger	That's what I be here for, me hearty! :)
	2021-02-26 20:40:44 @TheJollyRoger slkhgdhb3151[m]: Ah, you're talking about Inter-Process Communication?
	2021-02-26 20:41:25 @TheJollyRoger So, the way Inter-Process Communication works on Android is that apps can mutually whitelist each other for interprocess communication.
	2021-02-26 20:41:42 --> user1HFT37N (~user1HFT3@cpc91234-cmbg18-2-0-cust140.5-4.cable.virginm.net) has joined #grapheneos-offtopic
	2021-02-26 20:41:42 @TheJollyRoger I'll go back to one of my old examples, I like retelling this story:
	2021-02-26 20:41:56 @TheJollyRoger Let's say I have five apps installed in my main profile:
	2021-02-26 20:42:01 slkhgdhb3151[m] <TheJollyRoger "slkhgdhb3151: Ah, you're talking"> Not sure what I am talking about! :-D Let's drop that question for now. Let's me read a bit more and better understand what I read. I will be able to come back with clearer questions!! ;-)
	2021-02-26 20:42:18 <-- user1HFT37N (~user1HFT3@cpc91234-cmbg18-2-0-cust140.5-4.cable.virginm.net) has quit (Remote host closed the connection)
	2021-02-26 20:42:20 @TheJollyRoger Well, heh, maybe I can break this down...
	2021-02-26 20:42:28 @TheJollyRoger let's say I have five apps in a profile called Alice.
	2021-02-26 20:42:44 @TheJollyRoger I'll call them SecureChat, AndroMail, AndroCrypt, NSASocial, and NSAChat.
	2021-02-26 20:42:51 slkhgdhb3151[m] <TheJollyRoger "Well, heh, maybe I can break thi"> If you're ok to take the time, i'm happy to read you!
	2021-02-26 20:42:55 @TheJollyRoger *SecureText, AndroMail
	2021-02-26 20:44:10 @TheJollyRoger We'll say SecureText is an encrypted messaging app, AndroMail is a mail client, and AndroCrypt is an encryption program. We'll say that NSASocial is an alternate reality game that allows you to take pictures of your face, and make a cartoon avatar of yourself, and NSAChat is a social networking/multiuser chat app.
	2021-02-26 20:44:38 @TheJollyRoger So, sound about clear?
	2021-02-26 20:44:46 slkhgdhb3151[m] yep!
	2021-02-26 20:45:21 @TheJollyRoger Now, let's say that I don't want my face going to the NSA, so before I run NSASocial, I open up the app permissions and set NETWORK permission to "Deny."
	2021-02-26 20:45:32 @TheJollyRoger But obviously, I can't take a picture of my face without the camera.
	2021-02-26 20:46:13 @TheJollyRoger Similarly, let's say I don't want NSAChat to access the camera while I chat on it, but a multiuser chat app isn't very useful without network, so I allow it the Network permission.
	2021-02-26 20:46:43 @TheJollyRoger Now... the developers of NSAChat, and the developers of NSASocial have secretly cut a deal behind my back.
	2021-02-26 20:47:23 @TheJollyRoger Behind closed doors they've agreed that they will conspire to exfiltrate data and spy on users, so they whitelist each other's apps for Interprocess Communication.
	2021-02-26 20:47:39 @TheJollyRoger This means that while they can't see into each other's private application data directly, they can request the other app share stuff with them.
	2021-02-26 20:48:08 @TheJollyRoger So this means that let's say I took a picture of my face so I could make a cartoon portrait of myself using NSA Social, which is sharing data with NSA Chat.
	2021-02-26 20:48:35 @TheJollyRoger NSASocial then passes the picture to NSAChat, which then exfiltrates it.
	2021-02-26 20:48:41 @TheJollyRoger However,
	2021-02-26 20:49:08 @TheJollyRoger Even though AndroMail and AndroCrypt both have whitelisted each other - AndroMail recieves messages, and Androcrypt decrypts or encrypts them -
	2021-02-26 20:49:13 --> b1101 (~b1101@fsf/member/b1101) has joined #grapheneos-offtopic
	2021-02-26 20:49:32 @TheJollyRoger No matter how much NSAChat and NSASocial beg and plead, AndroCrypt and AndroMail won't allow InterProcess Communication with the bad apps.
	2021-02-26 20:49:47 @TheJollyRoger Not without their developers becoming complicit.
	2021-02-26 20:50:08 @TheJollyRoger if SecureText has not listed any apps for interprocess communication, it doesn't even enter this equation.
	2021-02-26 20:51:56 @TheJollyRoger Now, let's say I find out about another app, called NSASingAlong.
	2021-02-26 20:52:25 @TheJollyRoger Which is an app that listens to music in the background, and when it hears a popular song on the radio, it downloads the lyrics and displays them on your phone.
	2021-02-26 20:52:33 slkhgdhb3151[m] <TheJollyRoger "No matter how much NSAChat and N"> Got it! So the point amounts to: Is there a way to know which apps can communicate with which others?
	2021-02-26 20:53:17 @TheJollyRoger slkhgdhb3151[m]: there is. I believe if you open up the .apks using an archive reader, you can see the contents of the manifest, but unfortunately, my knowledge ends there, I don't know which files to look at.
	2021-02-26 20:53:46 @TheJollyRoger At one point, GrapheneOS planned to expose a permission for interprocess communication to the user, but that's more code the developers would need to maintain... so we'd need more hands for that.
	2021-02-26 20:53:57 @TheJollyRoger So we put it in our issue tracker as an enhancement.
	2021-02-26 20:54:05 @TheJollyRoger So - to continue this example...
	2021-02-26 20:54:31 @TheJollyRoger Let's say that I'm kind of leery of NSASingAlong, because it has access to the microphone.
	2021-02-26 20:54:38 slkhgdhb3151[m] <TheJollyRoger "So we put it in our issue tracke"> Oh, so the idea already exist? Great!
	2021-02-26 20:54:44 @TheJollyRoger Yep!
	2021-02-26 20:54:45 slkhgdhb3151[m] <TheJollyRoger "So - to continue this example..."> Please do! :-)
	2021-02-26 20:54:54 @TheJollyRoger So I create a profile called "Bob" and install NSASingAlong into "Bob."
	2021-02-26 20:56:00 @TheJollyRoger Even if I grant NSASingAlong access to the microphone, and to the network so it can do its work, even though NSAChat and NSASocial are still there on my phone, because it's in a separate profile, it can't reach NSAChat and NSASocial for interprocess communication.
	2021-02-26 20:56:07 @TheJollyRoger That's very strictly forbidden by the profile functionality.
	2021-02-26 20:56:38 ismellcap45[m] Smart dude
	2021-02-26 20:56:39 @TheJollyRoger The profile functionality doesn't give us any "extra" sandboxing or hardening, but it does allow us to contextualize what workspaces we have where.
	2021-02-26 20:57:30 @TheJollyRoger So for instance, let's say that NSASingAlong has a sister app called "NSAMyRadio" which allows you to sing along with your contacts over the phonewhen you hear a popular song on the radio.
	2021-02-26 20:58:14 @TheJollyRoger If I install NSAMyRadio into Bob's profile, it gets access to Bob's contacts, but it won't get access to Alice's.
	2021-02-26 20:58:48 @TheJollyRoger To NSAMyRadio, and NSASingAlong, as far as they're concerned, they can't enumerate NSASocial and NSAChat, because those exist in a different profile.
	2021-02-26 20:58:59 @TheJollyRoger All the apps, across the different profiles, are all sandboxed the same way.
	2021-02-26 20:59:33 @TheJollyRoger However, NSASingalong and NSAMyRadio are in a separate /workspace/ and exist outside of the workspace that NSAChat, NSASocial, and AndroChat, andAndroMail, and SecureText do.
	2021-02-26 21:00:04 @TheJollyRoger Even though the good app SecureText exists in the same workspace that the evil apps NSAChat and NSASocial do, those apps are still sandboxed.
	2021-02-26 21:00:43 @TheJollyRoger Hope this simplifies things a little bit?
	2021-02-26 21:01:14 slkhgdhb3151[m] Excellent example, thank you for that!!
	2021-02-26 21:02:31 @TheJollyRoger You're welcome!
	2021-02-26 21:03:29 @TheJollyRoger I like to use very obvious names for convenience, but now I'd find it hilariously ironic if the NSA actually did make an alternate reality game where you could take pictures of people's faces and make them into cartoon avatars XD
	2021-02-26 21:03:31 slkhgdhb3151[m] So I guess, until the interprocess communications between apps is coded in GrapheneOS, we have no way to find out if an app is malicious?
	2021-02-26 21:03:32 slkhgdhb3151[m] I mean: we can cut the "network" permission but, as in your example, that would not be efficient to prevent a leak if we don't know how the app can communicate?
	2021-02-26 21:05:27 @TheJollyRoger Well... there is, I think you can unzip the app and check the manifest, but I don't actually know how to do that.
	2021-02-26 21:05:29 @TheJollyRoger Not yet.
	2021-02-26 21:06:03 slkhgdhb3151[m] <TheJollyRoger "Well... there is, I think you ca"> Well, yes. But that's out of my reach too!! :-)
	2021-02-26 21:06:07 @TheJollyRoger Yeah X(
	2021-02-26 21:07:12 @TheJollyRoger At this moment, if you're unsure of an app being malicious, you can install it into another profile. However, for some applications, Interprocess Communication is a very desirable feature; I like to use the example of AndroMail and AndroCrypt as one such example where this kind of functionality is desirable.
	2021-02-26 21:08:08 @TheJollyRoger And if one of the two apps isn't opting into it, then interprocess communication is not possible.
	2021-02-26 21:08:10 * slkhgdhb3151[m] sent a long message: < https://matrix.org/_matrix/media/r0/download/matrix.org/myFDRmPfYaJdwsZkrizjtLEv/message.txt >
	2021-02-26 21:08:54 @TheJollyRoger Yeah... exposing the toggle for Interprocess communication will be nice, we just need to find people who can maintain the code for it.
	2021-02-26 21:09:19 @TheJollyRoger Since if we don't, and the code starts to rot, it could cause breakages at best, or vulnerabilities at worst.
	2021-02-26 21:09:41 <-- poisonou1 (~hydra@bras-base-otwaon234vw-grc-04-70-51-64-53.dsl.bell.ca) has quit (Ping timeout: 272 seconds)
	2021-02-26 21:10:30 @TheJollyRoger But take heart: if I had NSASocial on my phone, and AndroMail, even if NSASocial listed all the apps in the world,
	2021-02-26 21:10:42 slkhgdhb3151[m] At this moment, if you're unsure of an app being malicious, you can install it into another profile > Sure. The thing is, if I want to apply strict security measures, I would doubt each and any application until proven trustworthy.
	2021-02-26 21:10:46 @TheJollyRoger *NSASocial whitelisted
	2021-02-26 21:11:20 @TheJollyRoger If AndroMail, AndroCrypt, and SecureText isn't willing to become complicit in NSASocial's espionage, then NSASocial can't communicate with any of them.
	2021-02-26 21:11:31 @TheJollyRoger Even if AndroMail and AndroCrypt communicate with each other.
	2021-02-26 21:11:56 --> voidzzz[m] (voidzzzmat@gateway/shell/matrix.org/x-dlvcaucjrtomubeu) has joined #grapheneos-offtopic
	2021-02-26 21:12:00 slkhgdhb3151[m] Yeah, the agreement needs to be bi-directional, that's a reassuring point!!
	2021-02-26 21:12:04 @TheJollyRoger Yep!
	2021-02-26 21:12:54 @TheJollyRoger slkhgdhb3151[m]: well, take heart! The attitude that Android's developers took with applications is still very pragmatic; the attitude there was that back then, Android's developers realized that apps would be coming from many hetrogenous, and many different sources, many of which would't really be trustworthy. So Android is designed, to an extent, to distrust the apps somewhat.
	2021-02-26 21:13:45 slkhgdhb3151[m] that's good news!
	2021-02-26 21:14:28 @TheJollyRoger Yeah. All the apps run in their own sandboxes, it's really elegant.
	2021-02-26 21:15:25 @TheJollyRoger I gotta run for a bit, but! I'll be around!
	2021-02-26 21:16:13 slkhgdhb3151[m] Thanks for all your answers!!
	2021-02-26 21:17:31 @TheJollyRoger Anytime!
	2021-02-26 21:17:38 @TheJollyRoger That's what I be here for, me hearty! :)