Hi, developing a closed-source android app, wondering if there are any ways to offer some guarantees about privacy.
For example, if we configure network_security_config.xml for our app to only connect to certain third party domains like OpenAI and Anthropic and block all others, is that enforced by the system, or can a malicious actor still create a custom network stack or use some other trick to bypass these restrictions?
Any android experts here who can provide a definitive answer to this?
These two permissions are very powerful and can be used to circumvent restrictions in case of malicious misuse. Accessibility service permission should only be used, if it is actually used as an accessibility service, not to implement functionality which it was not supposed to do.
You will likely need third-party audits to build a semblance of credibility to any privacy claims.
What does the config to do this look like? From the linked documentation, it isn’t clear what you’re trying to accomplish is even possible.
The <domain-config> in network_security_config.xml is mostly intended to
I’ve not looked thoroughly, but from the API surface (in AOSP code), it looks like network_security_config.xml will only apply to Android apps using the Android SDK (Java / Kotlin) and not to C/C++/<other code> that may have to be compiled with the Android NDK (this is where I’d have tagged @anon63378639… alas).