Remove sharing capabilities of browser and camera applications
Suggested by user_1 in IRC
Replicant should remove support for the "share" feauture on browser and camera applications coming from upstream. Given said feature depends on contacts among other things. therefore for privacy reasons and a matter of decreasing attack surface. This "share" feature should be removed.
If "share" is to be preserved a good compromise would be to implement atestation to contacts codebase, something done in some privacy focus messaging apps, therefore main CPU will not have direct acess to said dat.
Updated by Denis 'GNUtoo' Carikli 7 months ago
- Status changed from New to Rejected
- Resolution set to invalid
As I understand the share feature enable to pass data from an application to the other and it is under user control so it's probably not worth removing in the stock Replicant images as many users probably depend on it.
For instance I often use that to send pictures to contact with Silence and I assume that other people do that too.Reducing the attack surface is however being worked on in other ways:
- Replicant >= 11 is using a kernel based on Upstream Linux, that reduces a lot the attack surface. That kernel can also boot GNU/Linux, so that makes testing easier. For instance we could probably manage to run valgrind on libsamsung-ipc way more easily than with Android. We're also adding tests in libsamsung-ipc and in other parts used by Replicant 11 whenever possible.
- Replicant 11 is also much more recent so it doesn't have huge security issues like the ones we have in Webview (the browser component of Replicant). Still Replicant 6.0 has selinux so that limits the potential damage, and Replicant 11 doesn't have selinux yet and it's not ready yet anyway.