← Back to context

Comment by lxgr

5 days ago

Yes, but if the concern is not mixing business and personal compartment of the phone, business sites would hopefully not embed a Meta tracking pixel.

> The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity

Definitely, and that's a huge problem. I just don't think Android business profiles are a particular concern here; leaking app state to random websites in any profile is the problem.

Or do Android "business profiles" also include browser sessions? Then this would be indeed a cross-compartment leak. I'm not too familiar with Android's compartment model; iOS unfortunately doesn't offer sandboxing between environments that way.

5 comments

lxgr

Reply
d4mi3n  5 days ago

While I agree with your reasoning, in my experience any statement where I prepend "hopefully" usually ends up being the worst possible interpretation in practice.

  • lxgr  5 days ago

    What I mean is: If a corporate internal website regularly connects to unauthenticated local ports and leaks sensitive data out, that's fully on them.

    If they are trying to fingerprint the "private compartment" of a BYOB device, that seems roughly as bad as a non-corporate side doing the same.

    • d4mi3n  5 days ago

      100% agree, and fingerprinting BYOB devices would be problematic in a lot of ways.

      I'm generally against BYOD programs. They're convenient but usually come from a place of allowing employees access to things without the willingness to take on the cost (both in corp devices and inconvenience of a second phone/tablet/whatever) to run them with a high level of assurance.

      Much better in my opinion to use something like PagerDuty or text/push notifications to prompt folks to check a corp device if they have alerts/new emails/whatever.

    • bravesoul2  5 days ago

      You can easily click a link e.g. to a blog post on Chrome inside your profile.

      E.g. a Jira ticket links to a post on how to do something concurrency related in Python.

      I get your point thought that maybe this is no worse than if they visit the site on the personal side.

      However I wouldn't trust out lack of imagination on how to exploit this to be happy about the security gap!

glennpratt  5 days ago

> do Android "business profiles" also include browser sessions

I believe that is typical.

My business profile has it's own instance of Chrome. Mostly used for internal and external sites that require corporate SSO or client certificates. Of course it could be used to browse anything.