Run Android Apps In Sandbox For Privacy [With Island]

While Whatsappocalypse continues to grow at a rapid pace I’ve decided to take it to the next level and help you pay attention to a different aspect of mobile privacy. Many apps we’re using are collecting information about our devices and what’s in them. This might sound less creepy than WhatsApp spying on your chat but I can assure you it is not in the slightest way less important. I am talking about location, installed applications, device name, device model, etc. It might not feel very important but how would you feel if someone grabs your phone and views a list of installed applications, photos, downloaded files, and whatnot. But there is an option like Run Android Apps In Sandbox!

Run Android Apps In Sandbox

I was always thinking about if there’s a way to run all of these applications separately without giving more access than they absolutely need to operate. After I duck it a little, I’ve come up with some articles about Island which is actually an app that allows you to run multiple instances of an application on the same device. (Normally Android doesn’t allow you to install two apps with the same package name) To do this they run applications in sandboxes which also allows them to run separately from your real Android OS. Wonderful isn’t it? This means while running an app can not access my files, installed apps because it’s actually thinking it’s on another app created by Island. It’s running on an island!

Does this mean it’s safe?

Well of course we can’t know without trying. So I’ve created a basic Android project that prints all the apps installed in the device to the screen. It’s just a simple app with one main activity. (You can view the project by clicking here.)

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);

    Log.e("CAGDAS", "sdk version: " + android.os.Build.VERSION.SDK);
    Log.e("CAGDAS", "device: " + android.os.Build.DEVICE);
    Log.e("CAGDAS", "model: " + android.os.Build.MODEL);
    Log.e("CAGDAS", "product: " + android.os.Build.PRODUCT);

    PackageManager pm = getPackageManager();
    List<ApplicationInfo> packages = pm
            .getInstalledApplications(PackageManager.GET_META_DATA);
    Log.e("CAGDAS", "packages: " + packages.toString());

    TextView textField = findViewById(R.id.textField);
    textField.setText(packages.toString());
    TextView appCount = findViewById(R.id.AppCount);
    appCount.setText("Installed app count:" + packages.size());
}

After installing the app to my device I ran it both directly on the device and in a sandbox. As I was expecting, it really can’t retrieve all the apps. It displayed 348 apps on my main operating system but 216 in the sandbox.

As you can see from the screenshots above it really can’t access the device’s main operating system. But unfortunately, it can access the real information about your device’s SDK version and model. Here are some logs retrieved from Logcat over ADB:

com.cagdasalagoz.securitytestapp E/CAGDAS: device model: LG-H860
com.cagdasalagoz.securitytestapp E/CAGDAS: device sdk version: 26
com.cagdasalagoz.securitytestapp E/CAGDAS: device: h1
com.cagdasalagoz.securitytestapp E/CAGDAS: model: LG-H860
com.cagdasalagoz.securitytestapp E/CAGDAS: product: h1_global_com

This might be related to how it creates sandboxes. Since the sand-boxing they’ve implemented depends on profiles, apps running in sandbox actually runs on work profile. You can see it on the upper right corner of my screenshots, one of them folder bag icon.

I also did some tests with other apps like GPS Test. It did access the real GPS after asking for permission. So there’s no sensor faking feature. However, the directory browser was not able to access my files in the internal storage! The original browser and the sandboxed one viewed different files and directories. Pretty cool! This means unless an application asks for external storage access you’re pretty much safe in the sandbox because it’s using virtual internal storage. Ten points to Griff.., Sorry Island.

Conclusion

In conclusion, this seems like a pretty good way to use apps that are spying on you. But of course, security doesn’t come with a cost. Practicing this request space on your device also you need to be wary of what you’re allowing. Because as I’ve mentioned about some of the parameters won’t be mocked and accessed directly. Still, I will give it a try! I am also thinking about blocking background requests in a way to prevent communication with the servers while the app is not in active use by the user. But that’s a topic for another post.

Leave a Reply