I don’t know if Jolla can be blamed directly. Android is already responsible for its own possibilities or bugs. You can only protect yourself if you are not using Android. Personally, it is unclear to me how Android patches are handled by Jolla. Are all patches being applied? Only a few CVE numbers are listed in the SFOS change logs compared to the Android logs. That is lower compared to the dozen of CVE reported by the Google monthly patches.
Whatever, using the Dalvik is at your own risk.
While Android may have its own vulnerabilities, it very much should be in Jolla’s hands if a random Android application can start up in the background and, without seeking explicit permission, open up the Sailfish browser to specific pages. In fact I would expect even Sailfish applications to have to seek permission first and to only open pages if the user has the phone open.
Yes sure. What I am saying is, it is not easy to really check all the constellations in which bugs occur.
You misunderstand me. I am not blaming Jolla at all. What I am saying is that if Sailfish cannot control whether an android app is allowed to start up in the background - either after a reboot, or after starting Aliendalvik because this is the way that Android works and this cannot be changed then Jolla should remove the ‘Allow background apps to start on bootup’ option from sailfish settings/android as (a) it doesn’t and can never work (so what’s the point of continuing to have this option?), and (b) it gives a false impression of more control over the security aspects of how android apps can or cannot run under Aliendalvik where such control, in reality, does not exist. If this is not the case then it is a security flaw/bug in Sailfish and Jolla should fix it.
We think the same way, don’t we? I’m just trying to understand technically why there may be a problem with the Dalvik. For a long time, I have been asking why an operating system that stands for security and privacy uses an Android as a subsystem. Yes, you could remove the “Allow background apps …” option, but what would be better then? There are also apps that can be prevented from running in the background, but not all of them. Otherwise it would be a lot worse. The right consequence would be not to use the Dalvik at all or to choose apps more carefully. The same rules apply as for an original Android phone. Tricky programmers will always find a way.
There are also alternatives to the Play Store (via Aurora) or Apkpure. In addition, I would recommend “ClassyShark3xodus” (F-Droid) to check an app for trackers or undesirable dependencies. This can minimize a risk.
Just because Android runs as a subsystem under SFOS, it is not automatically secure. This is my conclusion.
You’ll be happy to hear I brought this up in the community meeting and to find that Jolla is apparently now aware of this and they appear to be analysing the root cause. You can read the minutes below:
(Note the full log link for more details)
Copying what I said in the meeting here, as it was right at the end:
When the background running is disabled, then that package isn’t allowed to receive broadcast intents (such as boot_completed, which is the standard way for apps to launch themselves at startup), and when its window is closed then the app is force stopped. that stops the ‘normal’ ways for apps to start, but a lot of them put a lot of effort into launching themselves any way they can. Certainly an app or its services can be launched from another app, or via some background push notification service if you have one of those running though MicroG or something. The trouble with hacking around with that stuff too much is if we deviate too much from how android normally works, then innocent apps will stop working properly.
Thanks for the explanation - I think I understand it and that, what you are essentially saying is because certain android devs “cheat” their way around the normal process this problem isn’t really fixable (i.e. you’d have to keep up with every new way they find to cheat - and that in itself might break other standard stuff. If you can’t stop an Android app from starting in the Aliendalvik world maybe you still can stop an android app from starting a native sailfish app in the Sailfish world?
Without permission of course.
Indeed, the German language seems to have ‘en’ on the end of a lot of words - and not just nouns but adjectives as well (e.g. grossen). I’m sure this must mean something but my German is not good enough to understand what 
Android apps not respecting the option in settings is of nothing new to me personally. This was the case in the old Jolla phone’s dalvik as it is now in the XA2’s. Some really insist on relaunching themselves up. Not just only fishy apps like apkpure. Some main and big ones I’ve noticed; Outlook, Chrome, Anghami(spotify like app), Twitter.
Ok these are naturally suspicious 
but anyway…
I’ve just installed a security update of APKPure. Let’s see what happens now.
This sounds like a terrible security model - basically just trusting an app to respect an option setting without any enforcement by the OS, rather than the option setting in the OS forcing an app to behave, or not, in a specific manner. If this is really how it works then OS architecture/design has gone backwards
-en is plural in German, no secrets here…
The security or quality of the software is no worse today than it was 10 years ago if you compare the number of bugs with the number of lines of code I think. Software has become more complex and confusing. It is only human work and remains imperfect.
Because of this, there are more people today who are interested in bugs in order to use them for their own purposes. When working on modules in teams, fewer bugs are found because everyone only knows their task and not all of the dependencies. Working without a quality check is no longer possible, but finding and fixing bugs costs time and money. Is that realistic for an app for € 1.50 and a maximum lifetime of 1 year? I do not think so. Programmers of a useless fart app can get the idea of integrating malware and trackers as well. Everyone wants quick money. Unfortunately, programmers of trusted software, such as for banks, have the same idea in the meantime. That concerns the money and the security of the customers.
It is important to understand that almost all current Android apps contain trackers and / or adware.
The system is the fault!
“APKPure, one of the largest alternative app stores outside of the Google Play Store, was infected with malware this week, allowing threat actors to distribute Trojans to Android devices.”
“This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing and uninstalling software without users’ permission,” Doctor Web researchers said.
It’s not the first time that alternative stores have been affected. Last year, Aptoide lost the data of 20 million users. It always comes through the third party adware modules. Apparently nobody checks them before they are integrated into their own app. One more reason not to use this Google system.
@Tobi Yes, that will help until next time. And what about the other apps that run in the background and go unnoticed? One symptom is gone (Apkpure) and the gap remains. When does Jolla patch the Aliendalvik? In a few weeks, months, years or never? Triada is circulating and in vogue right now.
The bug in Android OS has been known under the name “Zygote” since 2011 (CVE-2011-3918). In 2018 phones were delivered with the preinstalled Trojan “Triada”, which exploits this bug, and currently in 2021 it is still there (CVE-2021-0316). The bug is directly in the Android system and simply allows complete takeover (see Apkpure). Infected phones are very difficult to clean because Triada gets stuck in the boot sequence.
Maybe it helps to reinstall Aliendalvik and hope for a patch from Jolla. At the moment Aliendalvik is probably not recommended. This is a very serious problem and the bug is also in AOSP. This is an effective backdoor par excellence.