Quote:
Originally Posted by Kaitain  Do you even need to have applications run with the same user ID?
An app I knocked together with no special permissions can nonetheless access the device name and state, take a picture and access the internet by simply starting the intents of applications that have those permissions and haven't imposed any per-activity restrictions. |
Indeed - that is an issue and will probably continue to be an issue for some time given that many developers fail to check who's invoked the activity.
However, one manufacturer (HTC) has already set up their devices with a number of the manufacturer's apps running as the same user ID, which of course, mean they inherit the superset of permissions. HTC had also set up the web browser so that it could install FlashLitePlayer. To do this required the browser to have the INSTALL_PACKAGES permission, which means it can install apps silently. This was Android 2.1, but I've no idea where they are now. The choices a manufacturer makes can significantly impact the security of the device far beyond what you might have expected.