Comment by throwawayffffas
7 days ago
So I am seeing two issues here.
1. Android allows apps to open ports without permissions. And apps to communicate with each other without permissions.
2. The browsers allow random domains to access services on the localhost. Without notifying the user. We have seen vulnerabilities in the past accessing dev services running on localhost. Something should be done there.
I'd split that first list into two:
1a. Arbitrary apps can listen on ports without permissions.
1b. Arbitrary apps can access local ports without permissions.
I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons. Random websites shouldn't be able to access services running on localhost.
> I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons.
Let me introduce you to https://www.qubes-os.org/.
For the ultra paranoid is there anything that can do this on a smartphone?
2 replies →
uBlock Origin ships with a "Block Outsider Intrusion into LAN" filter that I believe is enabled by default. I don't know if it works on the neutered Chrome version, but on Firefox it works so well I've had to add a few whitelists for cases where I do want access to LAN or localhost.
disabled by default, because it can break stuff which is not explicitly allowlisted
1 reply →
Those are two technical issues, yes.
But even with those technical issues present, Facebook shouldn't have done this.
Oh absolutely, we are on the same page on that one. I just think it shouldn't be that easy for them to do it.
> Android allows apps to open ports without permissions.
Just to clarify: you need `android.permission.INTERNET`. This is a default permission (granted by default at install time with no user interaction).
GrapheneOS allows this permission to be disabled.
As far as I'm aware, you can't lock this down to 'allow only intra-app communications via localhost', please let me know if I'm mistaken.
There is a proposal to restrict sites from accessing a users' local network without permission: https://github.com/explainers-by-googlers/local-network-acce...