On Aug 13, 2011, at 9:16 AM, [email protected] wrote: > Sure the middleware would be interesting, but only if every users can > use it, not only experienced ones with rooted devices. And even if it > would exist it wouldn't be enough since, for instance, as an app > developer I could declare, in the manifest, only accessing « > google.com » domain, but still I could send user's personal data to me > through google mail service for example (supposing gmail is accessible > through google.com without redirections, I'm not sure). Only the whole > URL pattern would be relevant.
It's worse than that. You can POST radically different parameters to the same URL and get very different effects. ...So then you'd want to have rules for evaluating POST bodies, and make them site- or URL-specific, and keep them up to date, and so on. You'd end up with a WAF in the Android, and it would be worse than AV. That is why this feature doesn't exist: it can't. In fact, I doubt the meaningfulness of the INTERNET Permission, as coarse as it is. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
