Opening those URL might sometimes be desirable. It might be good to prompt users with something like, 'App "x" wants to open URL "y" (w/wo various meta-data).'. Options could be to allow or disallow, with a drop-down menu to select options like 'Remember for this app' and 'Remember for this U.R.L.' Using a drop-down would allow for more menu options in the future, such as based on the meta-data.

One way to accomplish this would be to gate the IntentDispatcher with an android:permission attribute. I have a working prototype of this approach. It has one major drawback: apps that have not been been granted the INTERNET permission get thrown a SecurityException when they try to open a URL and crash because the exception does not get caught. If this is acceptable, I would be happy to send you a merge request.

Another way to solve this would be to prevent Vanadium from automatically navigating to a URL from ALL intents, requiring explicit user confirmation for every URL. This would prevent the issue described above, but would introduce extra UI friction in most cases.

Personally, I would prefer explicitly confirming every U.R.L. to implicitly allowing every U.R.L. A lot of websites already use a mechanism like this, confirming whether users really want to navigate to an external web page (probably to prevent phishing and bad P.R. from people who can't tell the difference).

Perhaps there could be an option to stop asking with a clear warning that apps without INTERNET permission will crash if they try to open web pages. Not sure how many people would use it, but I might. Probably depends on whether they commonly use any apps that will lose some data or take a long time to navigate back to where they were before crashing. There would need to be a convenient way of switching that setting back.

Blocked by: No public API for proper checking of permissions by calling activity when it does not require result, or has FLAG_ACTIVITY_NEW_TASK