undefined | Better HN

0 pointsizacus8y ago0 comments

How would your solution improve on current one, where apps are sandboxed by the permissions system and communicate via Binder which is also RPC based? You just added bunch of layers to architecture for no reason - none of serious Android exploits in years would be mitigated by your approach.

0 comments

2 comments · 1 top-level

chisleu8y ago· 1 in thread

> You just added bunch of layers to architecture for no reason

The sandbox doesn't do the isolation that docker can. It uses user isolation like I mentioned. The difference is that Binder is Java on top of the kernel, while docker is isolating from the kernel itself.

Without access to the service, it is impossible, sans-kernel-exploit, to escape the permissions jail, or even tell if you are in a permissions jail if someone gives your app fake contact information by routing it to a different service.

Docker isn't perfect. It had a serious CVE recently. I'm certainly not saying it is absolutely better. I'm just saying that I think they are fundamentally different and that process level isolation is superior to user level isolation.

izacusOP8y ago

Sure, but none of serious Android exploits had anything to do with escaping from the sandbox. They were mostly in driver and HW acceleration layers, which can't be sandboxed due to performance and DRM reasons.

j / k navigate · click thread line to collapse