Why has Android made it impossible to install system fonts?

Question

Fonts in Android are kept in /system/font directory. There seems to be no way to install custom fonts without rooting your Android or installing some apps.

Why has Google made it almost impossible for Android users to install custom fonts?
What was the engineering decision that led fonts not getting picked up from ~/.fonts/ user directory as happens in a standard Linux Distribution?

The same behaviour is seen in ChromeOS as well.

@Robert 2. You're partially wrong. Android is a non GNU/Linux system I agree but home directories indeed exist in Android: They're /storage/emulated/0 , /storage/emulated/1 and so on — karthik nair, Jun 15 '22 at 17:08
@karthiknair Are you sure that /storage/emulated/0 is the home directory? And of which user? Every app has an own user account, so it would not make sense to have one home directory for all users. On Android versions prior to 11 /storage/emulated/0 was often used like a home directory by some apps, but it was never a home directory in a Linux meaning. And since Android 11 it isn't accessible at all on file level. — Robert, Jun 15 '22 at 17:14
@Robert /storage/emulated/0 is what you see when you open File Manager and tap on 'internal storage' i.e where folders such as Downloads, Pictures, Android etc exists just like in a Linux system. /storage/emulated/0 is for user 0. if you create another user and open internal storage in file manager, the contents you see are under /storage/emulated/1 — karthik nair, Jun 15 '22 at 17:27
@Robert In android >=11, /storage/emulated/0/Android isnt accessible at all in the file level (there are workarounds for that too). But /storage/emulated/0 has always been and would continue to be accessible — karthik nair, Jun 15 '22 at 17:29
@karthiknair We simply have different understanding what a home directory is. For you it is some directory shown by default in an UI file manager, for me it is a directory where applications places their configuration files/directories and where use related files are stored. — Robert, Jun 15 '22 at 17:37
@Robert No we don't have a different understanding of what $HOME is. I'm a GNU/Linux user. Assume you have set up two users in your phone. And e.g let's consider WhatsApp and let's imagine we've that app installed on both users... A lot of related directories of WhatsApp are stored under /storage/emulated/0/Android/data and /storage/emulated/0/media for user 0 and similalry /storage/emulated/1/data for user 1. Though I agree that Android apps store part of related files and configs in /data/data/0 and /data/data/1 too, /storage/emulated/ still remains something similar to $HOME — karthik nair, Jun 15 '22 at 17:45

Morrison Chang · Accepted Answer · 2022-06-15T19:50:53.560

Fonts can be considered an attack surface so system level fonts are restricted.

The Android Open Source Project documentation has a section on Custom Fonts Fallback which allows for Android 12+ OEMs to modify/update the system font with appropriate system level permission/keys. For Android 11 and earlier, the system font was delivered with a ROM update.

Reading on there is a section on signing font files:

Signing font files

Since font files are risky resources, they must be verified with trusted keys. Carefully review all font files that are to be updated, and sign with your private key. The signature must be fs-verity compatible.

where Google calls out that font files are 'risky resources'.

Quoting from: How can a font be used for privilege escalation?

Fonts are hard. It's old code. It runs in kernel mode.

Related post: How to detect suspicious content in a TrueType Font (.ttf) font file

So it can be implied that by not allowing end-user customization of the system fonts, there is a reduction of the attack surface.

Individual apps can embed their own custom font files for use within their own app.

Why has Android made it impossible to install system fonts?

1 Answers1

Linked