Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A personally fascinating situation that doesn’t get talked about much:

1. App is sandboxed, and has to ask for access to every bit of your information (photos, contacts, etc)

2. App asks at a time when it seems reasonable (I’m taking a photo and need to save it)

3. Now app has the ability to exfiltrate everything you just gave it access to (like all photos), and it now has that ability (in the majority of cases) without on-device oversight



There's been talk about having the file picker dialog reside outside the specific app sandbox, and the app only receiving (revocable) capability to act on whatever the user authorized.

That is, on file save the app would be handed essentially an open, writable and closeable, file descriptor -- the app might not even know the name of the file it's writing to.

On file open, the app might be handed an open, read-only, file descriptor.

Making such a mechanism usable for both the end user and the app developer gets complicated for sure, but the idea of not just permanently allowing "read+write ~/Photos forever" is definitely out there.


I support that kind of thinking! Thank you for exposing me to it.


This is related to the powerbox pattern in object capability systems, which might be of interest if you like these ideas: http://wiki.c2.com/?PowerBox


Right, so there are few layers to this, and lots of them involve the system not following the principle of least authority. For example:

- If you're just taking a photo and need to save it, why does the app need access to all your photos? Surely an append-only capability would be sufficient.

- This depends on the app, but if you're just taking a photo why does the app need internet access? If the app is a typical camera app, it sure doesn't - you might often want to pass the data to an app that does (via e.g. a share sheet) but in general the camera app itself has no need to reach out to the internet. (And if it does, does it really need to be unrestricted access to the internet?)

- Why is it so easy for apps to request access to everything and so hard for the user to say "no, actually you only get to see this"? (iOS has been improving this lately but it's still a pretty rare feature.)

But yes also as you allude to, it's not obvious to the user what access a program has after it's been granted.


The latest iOS lets you grant access to only a limited subset of photos (and I believe separates that from write access). It's still annoying enough that you'll eventually grant access to everything though (i.e. the second time you use the photo picker it doesn't re-prompt for permissions, it just shows the one photo you already granted access to).


That photo picker scenario is definitely no good!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: