Comment by npteljes
8 hours ago
Android has its fair share of issues as well. For a recent issue, take a look at the localhost tracking, wherein "Meta devised an ingenious system that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session":
It's by design that apps on Android can talk to each other. It doesn't require a sandbox escape to do. Usually it's done via binder, but it also works through shared memory, unix sockets, network sockets, or pipes.
I get that. Well, not in the linked Facebook case, seeing how much legal attention they have attracted, but in general. And I think that the X server's design is the same. What StarDict did was using an intentional part of the design, not a hack, or exploiting vulnerability. Which is why the Android comparison doesn't stand.
And it is by design that anyone can read the X11 cilpboard so I sm not sure I get your point.
My point is it's the browser app's responsibility to add extra security before reaching out to private / loopback addresses when it wants extra privacy.
Android already provides a way to sandbox apps from one another, so if people don't want social media apps talking with other apps they can already separate them.