Comment by charcircuit
9 hours ago
Meanwhile on Android:
- The clipboard can not be read by backgrounded applications
- Apps by default are unable to use HTTP
9 hours ago
Meanwhile on Android:
- The clipboard can not be read by backgrounded applications
- Apps by default are unable to use HTTP
Meanwhile on Wayland: > StarDict on Wayland doesn't have this problem, because Wayland prevents applications from being able to capture text from other applications by default.
Seems irrelevant to me. I shouldn't need to defend against software provided by the official repositories. The entire point is for those to be trustworthy.
Also Wayland breaks a lot of stuff. It's certainly a move in the right direction on the whole but I wouldn't blindly interpret something like this as a win.
You are cherry picking. The next statement says that the scan feature doesn't even work on wayland. Lol. That's worse than working + buggy. (security bugs are just bugs. Nothing special about them)
> That does mean that it breaks StarDict's scan feature, though.
No, Wayland is clearly better here. Not allowing an app to do a potentially stupid privacy compromising thing is better that allowing it by default and providing no way to block it.
Better does not necessarily mean good though, that Mac approach of block by default but allow users to enable these things for specific apps on settings would be a great improvement.
2 replies →
Android has its fair share of issues as well. For a recent issue, take a look at the localhost tracking, wherein "Meta devised an ingenious system that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session":
https://news.ycombinator.com/item?id=44235467
It's by design that apps on Android can talk to each other. It doesn't require a sandbox escape to do. Usually it's done via binder, but it also works through shared memory, unix sockets, network sockets, or pipes.
I get that. Well, not in the linked Facebook case, seeing how much legal attention they have attracted, but in general. And I think that the X server's design is the same. What StarDict did was using an intentional part of the design, not a hack, or exploiting vulnerability. Which is why the Android comparison doesn't stand.
And it is by design that anyone can read the X11 cilpboard so I sm not sure I get your point.
1 reply →
Which Android versions ask for permission before an app can make HTTP requests? I know it's something the app has to declare in the manifest, but other than obscure ROMs every normal version of Android just allows network usage without asking the user.
Android itself doesn't enforce it, but starting with Android 9, you have to opt in to HTTP requests rather than opt out. Most app developers don't even know about this so their applications (and the ads packaged within) cannot do plaintext HTTP calls using the normal system API.
Still doesn't prevent an ad library from bundling libcurl and doing HTTP calls manually, of course, but it's a sane default.