Nathan Freitas:

On Tue, May 30, 2017, at 02:51 PM, Hans-Christoph Steiner wrote:

...

Tom Ritter:

...

On 30 May 2017 at 13:22, Hans-Christoph Steiner <hans@guardianproject.info> wrote:

...

As for Android apps updating their own code, it is possible, and it is occasionally done.

Can it be prevented?

Android now sets the /data and /sdcard partitions so that code cannot be executed from them. Those are the only places that apps have permission to write. So apps cannot download and store code. The only option is to download code and keep it in RAM.

However, we could download a new tor binary, or PT's on demand, at least in the current configuration, since those are just command line executable we unpack and store in data. You can execute binaries from within /data - you just need to chmod them first. It is only /sdcard where that is not allowed.

I think you can also download shared libraries anywhere, and just load them via System.load() with an arbitrary path.

I do agree, there is benefit from keeping the tor process in an isolated sandbox from the browser process. This has been the discussion we have been having around a core "Tor Network Services" APK, that would be essentially an invisible dependency much like Google Play Services.

I chatted in person with Nick Kralevich, head of Android platform security, about this. He really wants to disallow execution of anything from where apps can write. He said they had it working already. Perhaps this is in Android O. I haven't looked. They might have backed down on this one, and not included it yet. In any case, given that the Android security team really doesn't like it when apps download code and run it, I don't think its a good approach for TBB/Android. I heard that Google sees this often used in malware. .hc -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556