Conversation

Notices

1. Embed this notice
   Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 00:00:41 JST Rich Felker

   Lazyweb, are there any modern instructions for nuking the Android share hooks apps can do?

   The thing where, when you click share, various recommendations for "share with this person on this chat platform" come up after stalling the share widget for 5 seconds.

   I don't even recall what it's called to search for it.

   But it's infuriating not just because of the delay but because it means everything you share is being exfiltrated to every installed app's hook to let it make a decision on whether it wants to offer you a recommendation.

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 00:28:03 JST Rich Felker

     in reply to

     • Ben Stokman

     @benjistokman The problem I'm talking about is not a memory leak. Those exist too.

     The problem is the allowance for hooks on the share intent that let apps offer recommended specific share targets in the top section of the share widget featuring specific contacts' names etc.

   • Embed this notice
     Ben Stokman (benjistokman@mast.benstokman.me)'s status on Monday, 08-Sep-2025 00:28:05 JST Ben Stokman

     in reply to

     @dalias I don't think that's how conversations work on Android.

     Also you need to restart your phone every now and then. There's some kind of memory leak that hasn't been fixed for like 15 years.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 00:29:52 JST Rich Felker

     in reply to

     Oh, and I forgot the other huge privacy invasion of this anti-feature:

     It exposes a list of contacts you've recently/frequently messaged on any chat platform that supports the antifeature, even e2ee/"private" ones, to anyone shoulder-surfing when you go to share a link.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 00:38:52 JST Rich Felker

     in reply to

     BTW, I'm fine with solutions that require root or adb access. I would assume any solutions require something like that.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 00:41:57 JST Rich Felker

     in reply to

     • Travis F W
     • Ben Stokman

     @travisfw @benjistokman Those are the normal share actions. There are also fancy dynamic hooked ones that add specific contacts or similar and take a long time to load.

   • Embed this notice
     Travis F W (travisfw@fosstodon.org)'s status on Monday, 08-Sep-2025 00:41:58 JST Travis F W

     in reply to

     • Ben Stokman

     @dalias @benjistokman I always thought the share options were populated by the android system matching regular expressions taken from the manifests of those apps, not dynamically with hooks waking up every single app to do arbitrary computations potentially including saving your data. but I certainly could be wrong.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 02:46:23 JST Rich Felker

     in reply to

     BTW this is one reason, despite using it, that I consider LineageOS garbage.

     If you're working with the AOSP source, it would take 5 minutes to fix shit like this at the source level with a single if (false) { } around some code. Literally nobody wants this behavior. It's malicious and obnoxious.

     If you really wanted to leave it as an option, you don't even have to make a UI for it. Even a config variable that can only be set via adb/command line utilities would be fine.

     There is no excuse for having a fork of AOSP and not fixing the obvious malice.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 07:25:04 JST Rich Felker

     in reply to

     • Pixel Light

     @pixellight What about killing ShortcutService or doing something to block it from being able to store anything?

   • Embed this notice
     Pixel Light (pixellight@pony.social)'s status on Monday, 08-Sep-2025 07:25:06 JST Pixel Light

     in reply to

     @dalias hey, android developer here! Let me walk though what I know about share targets.

     Since android 10 the share target api has been push based, not pull based. This means apps notify the system what the targets are ahead of time, instead of when you go to share. This was primary due performance reasons, (you now don't have to wait for them to populate) but you bring up an interesting privacy aspect as well.

     Apps really should be updated to the new api, but the old one is deprecated, not removed so it's still possible some are using it. One thing you could do is modify the manifest of any offending apps. For the old api look for a service with 'android.permission.BIND_CHOOSER_TARGET_SERVICE' to remove. The new api is dynamic so you'd would need to get into modify the app code instead, but should still be possible.

     More info:
     https://developer.android.com/training/sharing/direct-share-targets
     https://developer.android.com/reference/android/service/chooser/ChooserTargetService
     https://developer.android.com/reference/androidx/core/content/pm/ShortcutManagerCompat#setDynamicShortcuts(android.content.Context,java.util.List%3Candroidx.core.content.pm.ShortcutInfoCompat%3E)

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 07:43:17 JST Rich Felker

     in reply to

     • Pixel Light

     @pixellight Oh, quick question because I don't remember and can't find it - what's the Android command to edit system settings keys? I think I might see a way to nuke it with this.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 07:53:05 JST Rich Felker

     in reply to

     • Pixel Light

     @pixellight Ah, it's just "settings", but it's not there. Any idea where it might be? ShortcutService has settings (see https://android.googlesource.com/platform/frameworks/base/+/master/services/core/java/com/android/server/pm/ShortcutService.java) max_shortcuts and max_shortcuts_per_app which in theory could be set to zero if I knew where to set them.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 07:56:03 JST Rich Felker

     in reply to

     • Pixel Light

     @pixellight Oh, maybe they are system-level and my Android version is just too old to have them..? Looks like they were added relatively recently.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 08:17:23 JST Rich Felker

     in reply to

     • Pixel Light

     @pixellight LOL, termux-widget README has the full instructions for how to do this (but they think you want to increase it 🤡):

   • Embed this notice
     Pixel Light (pixellight@pony.social)'s status on Monday, 08-Sep-2025 08:17:25 JST Pixel Light

     in reply to

     @dalias looks like the setting key is shortcut_manager_constants

     though adb shell settings get global shortcut_manager_constants is returning null for me hm

   • Embed this notice
     Pixel Light (pixellight@pony.social)'s status on Monday, 08-Sep-2025 08:17:26 JST Pixel Light

     in reply to

     @dalias fyi cs.android.com if you want a good way to search around AOSP source code

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 08:37:21 JST Rich Felker

     in reply to

     • Pixel Light

     @pixellight I think max_shortcuts_per_app is better. It prevents apps from even sending more, rather than limiting the number shown/offered to share to.

     Sadly my Android is too old to support the limiting, I think.

   • Embed this notice
     Pixel Light (pixellight@pony.social)'s status on Monday, 08-Sep-2025 08:37:22 JST Pixel Light

     in reply to

     @dalias lol,

     adb shell settings put global shortcut_manager_constants max_shortcuts=0

     is where I was currently landing looking at the source...

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 08-Sep-2025 08:41:09 JST Rich Felker

     in reply to

     • Pixel Light

     @pixellight If anyone can confirm this works on newer Android, I think that's the solution to the problem, and really should be published/documented somewhere.

     Sadly, it doesn't solve *my* problem, but I'll take it anyway and see if I can solve mine by blocking filesystem access to where the junk would get stored.