Comment by zzo38computer

Comment by zzo38computer a day ago

2 replies

View on Hacker News

I think it is a problem with the design of the system (e.g. POSIX), that the permission models do not work very well, so trying to add them to a system that it does not fit, might be the problem. (In some ways, it is possible to do by a VM code, but that has its own issues.)

The other things that you mention might also be significant, although I think the problem I mentioned is also a significant reason why it is difficult to change even if you do want to improve it.

> As a programmer I dread writing any line of code that deletes files

My idea of operating system design does not have any function to delete files. You can erase the contents of a file, and you can remove all references to a file (if you can find them). If you do remove all references to the file, then the file will be deleted. However, any of these things requires a capability which can be used to modify the appropriate files; you do not automatically have the permission to do any of this. (The capability might also be a proxy capability that does copy on write so that the program's view of them can no longer see the contents and references to the file even if they are not actually modified or deleted.)

theamk 4 hours ago

No, it's not a problem with POSIX, and not even problem with Android (it can pass the number just fine).

It's a design decision of Whatsapp, because they want your full address book so that they can build a social graph and sell you more ads.

You don't need a new OS for that.

(A secondary problem is design of Android system, which allows app to know difference between "permission not granted" vs "permission granted, user has empty address book". But a change like that is fully backward compatible, Google can retrofit this at any moment)

Reply View 1 reply
  • zzo38computer 3 hours ago

    Like you mentioned, it is a design decision of Whatsapp which is a problem, but it is a problem that might be avoided if the system is designed better. Furthermore, some things might be detectable regardless of modifying the system, including timing, and also things which have to do with the instruction set itself. A design which requires the permissions even for timing and all other I/O too (I consider timing to also be I/O), would help, I think.

    Using proxy capabilities would allow you to make a "permission granted, user has empty address book" (or some subset of the data, or even made up random data) even if you do not have a empty address book, so that is what I think will be better. (Another way to do it might be to use a separate app for the address book, which does not use the address book in the system. This might work if the app cannot detect the presence of other apps.)

    Reply View 0 replies