Comment by bravesoul2
5 days ago
Can this cross profiles? That would be a big security issue for corps.
Quick test and if I serve on 8080 on the Userland app it can be accessed from both profiles. So probably yes.
This means an infected app on your personal profile could exchange data with a site visited from a second profile.
Only if that site specifically communicates with an (unauthenticated) service bound to a local port though, right?
Which, per the OP, the site would be doing by merely including the Meta pixel, which practically every e-commerce and news site does to track its campaigns and organic traffic.
The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity in that app for an unknown amount of time. And even with the tracking code deactivated, cookies may still persist on those secondary profiles that still allow for linking future activity.
Yes, but if the concern is not mixing business and personal compartment of the phone, business sites would hopefully not embed a Meta tracking pixel.
> The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity
Definitely, and that's a huge problem. I just don't think Android business profiles are a particular concern here; leaking app state to random websites in any profile is the problem.
Or do Android "business profiles" also include browser sessions? Then this would be indeed a cross-compartment leak. I'm not too familiar with Android's compartment model; iOS unfortunately doesn't offer sandboxing between environments that way.
5 replies →