Access to list of apps

[akhxp]

Please add a permission for accessing list of installed application, to allow the user to choose what apps can get access to the list.

[beerisgood]

See https://www.reddit.com/r/GrapheneOS/comments/do5a8o/access_to_list_of_apps/

[thestinger]

A prerequisite to working on this is making an exhaustive list of all possible ways for an app to obtain information on which other apps are running.

[madaidan]

A prerequisite to working on this is making an exhaustive list of all possible ways for an app to obtain information on which other apps are running.

The only ways I know of are:

• /system/{,priv-}app/
• /storage/
• /mnt/sdcard/
• /mnt/asec/
• pm list packages

These are probably best fixed with a mount namespace and modifications to the package manager.

These aren't counting system binaries/libraries.

[thestinger]

What about all the APIs that leak this as part of what they do?

[madaidan]

What about all the APIs that leak this as part of what they do?

I'd assume pm list packages uses those APIs so fixing that would require fixing those APIs.

If not, then there's https://developer.android.com/reference/android/content/pm/PackageManager.html#getInstalledApplications(int) but I'm not sure what else.

[thestinger]

Many apps explicitly expose various APIs to other apps and can be enumerated through those, among other approaches. At a minimum, apps almost always have an exported launcher activity. I don't really see how apps within a profile can be hidden from each other without major changes. Hiding apps from each other nearly implies using a separate profile for each app and preventing them from communicating at all.

[thestinger]

I'm sure there are plenty of system APIs providing this information too, and I don't just mean APIs designed to directly provide the information.

It's not useful to prevent directly getting a list of installed applications without preventing detecting which applications are installed, so this specific feature request has to be rejected. It would have to be part of a larger, much more comprehensive feature preventing apps from finding other apps. That implies outright preventing communication with non-system components which is a much different approach to applications and rules out a lot of things.

A very common mistake is making a feature request based on how you think something should be done based on assumptions about how things work. Feature requests should generally be about a privacy or security outcome rather than how to get there, unless you're already very familiar with how things work. The request should be for preventing apps from discovering which apps are installed, since anything less than that has no privacy / security value. There's no point in disallowing access to a list while not preventing discovering which apps are installed anyway. I hope this makes sense.

[thestinger]

Closing in favour of #156.

[thestinger]

An example of the consequences for a feature truly providing this functionality as a subset of what it does: sharing across apps, opening links in a browser, etc. will only be able to directly use apps included in the base system like Vanadium. Apps have to be forbidden from seeing / communicating with any non-base-system apps or they would be able to detect them by enumerating them from a list. I don't see any other way to hide which apps are installed. It has to be part of a bigger, aggressive feature essentially running an app in a dedicated profile. It's a substantial feature and will take a fair bit of work to implement, unless someone can come up with a clever way to easily use the existing profile infrastructure. I definitely don't have time available to work on it, so it's not on the table for the near future unless people are going to step up to contribute. I wouldn't recommend something so substantial as a starting point for someone's first contributions to the project anyway.