I've noticed that it is possible on Android to change the permissions on a file with chmod, which means we can easily execute anything from an application:
var runtime = Runtime.GetRuntime();
runtime.Exec("chmod 0755 /my/file").WaitFor();
// Then ProcessBuilder to execute it.
Would Google Play Store accept an application that takes advantage of this flaw? I can't find any documentation about it, but I confirm that it works.
Actually, I want to include ffmpeg for tasks that are too slow to be executed using MediaCodec.
(I've also noticed that the Android framework sometimes directly access to a native version of ffmpeg, so maybe I could access it directly from the phone?)
I don't know for sure if it is ok for Google Play.
However i don't think it is security issue. You will exec process with the autorisation of your app. I hope the following example will help you. You can try the following command line with your device connect.
adb shell
To have a shell on your devices Then you can try to look what is inside the files for an app (replace com.your.package by the name of a debbugable apk)
ls /data/data/com.your.package
This command will failde because you have not the good permission. Now run the following command.
run-as com.your.package
You will now exec your command line with the same permission as your app.
You can now retry the previous ls command. It will work. However it will not work for another package.
So, i think the command you will exec with your code, will be exec with the privilege of your app. So i don't think you can elevate the privilege of you app on a file with this method.