[guardian-dev] how to make panic button API for Android Apps

[Hans-Christoph Steiner]

On 04/09/2013 04:55 AM, Abel Luck wrote:
> Hans-Christoph Steiner:
>>
>>
>> On 04/08/2013 01:01 PM, Nathan of Guardian wrote:
>>> On 04/05/2013 02:35 PM, Hans of Guardian wrote:
>>>> I just had a thought for the further development of the Panic Button/In The Clear features:  there should be a way for apps to advertise things that should be triggered by a central panic button.  This could happen in a number of ways:
>>>> * standard panic broadcast that a central app sends, then each app has its own preferences for what that panic triggers
>>>> * each app exposes all possible panic intents to the central panic control, then the user has a centralized place to configure the entire panic behavior across apps.
>>>> Has anyone seen anything like this?
>>>
>>> It is a fantastic idea, but I am really concerned how we would
>>> authenticate or limit the panic broadcast initiation. If you use
>>> standard Android event broadcasting, seems like it would be fairly easy
>>> for a malicious app to impersonate.
>>
>> Yeah, we'd definitely need some kind of authentication process to have each
>> app opt-in and register to the central panic button.  It would have to be
>> implemented as a Android Broadcast intent.  The central panic button app could
>> sent Intents directly to the panic Activity on each app, based on the list the
>> user configured.  Then there would be a permission set in each app to control
>> what app can call the panic Activity.
>>
> 
> This is an interesting idea! Hard to do successfully for sure.
> 
> The biggest hurdle is definitely going to be that initial authentication
> from "master panic button" to the client app. TOFU definitely isn't a
> good approach here. Too many ways for a malicious app to trick a client
> app.
> 
> What stops a malicious app from requesting the "send panic broadcasts"
> permission? [1] Or do I not grok the broadcast+perms model fully?
> 
> [1]:
> https://developer.android.com/reference/android/content/BroadcastReceiver.html#Security

Definitely still brainstorming here:

I used broadcast as a general term, not as in BroadcastReceiver.  One idea for
the broadcast mechanism would be to have each app register its panic Intent
with the global Panic Button app, then the Panic Button app would call each
one individually.

The permission would be for calling the panic Intent.  Maybe the global Panic
Button could check if any other apps are installed that have that permission,
as a warning/check for malware.  We could make it check all the time to make
it a permission that only a single app can claim.

.hc