Covert web-to-app tracking via localhost on Android

It just needs to require explicit user permission, same as accessing your webcam.

This should be done via an embedded webview.

I just read this on the Local Mess site, which answers my first question:

> Q: Does this only affect Android users? What about iOS or other platforms?

> A: We have only obtained empirical evidence of this web-to-native ID bridging Meta and Yandex web scripts, which exclusively targeted mobile Android users. No evidence of abuse has been observed in iOS browsers and apps that we tested. That said, similar data sharing between iOS browsers and native apps is technically possible. iOS browsers, which are all based on WebKit, allow developers to programmatically establish localhost connections and apps can listen on local ports. It is possible that technical and policy restrictions for running native apps in the background may explain why iOS users were not targeted by these trackers. We note, however, that our iOS analysis is still preliminary and this behavior might have also violated PlayStore policies. Beyond mobile platforms, web-to-native ID bridging could also pose a threat on desktop OSes and smart TV platforms, but we have not yet investigated these platforms.

> This doesn't seem to just be an Android vulnerability; wouldn't the same exploit concept work on any OS that allows application software to listen on ports?

As I understand it – it would, but... most desktop platforms don't have that kind of application software installed (nor is such software *available* at all, when it comes to the usual suspects – when was the last time a "Facebook" desktop app existed for Windows? probably in Win8 UWP era?), unlike mobile platforms where having such software is "normal" and commonplace.

> Also, this seems to be somewhat related to the 0.0.0.0 Day

"the 0.0.0.0 Day"? ...I'm sorry, but that sounds like such a grandiose name for what seems like a very regular vulnerability. It definitely beats "Meltdown" by a mile. What will come next? "git checkout master of Disaster"? "Ultra LaserJet"? "Segfault of Doctor Doom"?

I think cross-site exploits (XSS, CSRF, etc) are about one site exploiting another site, and that's not what's happening here. Both sites/applications are cooperating; neither is being used in a way that its developer did not intend. There are plenty of intentionally-supported ways to opt in to cross-site communication - CORS, non-idempotent GET, WebSockets, etc - and there's nothing inherently wrong with using them, even when one side is running on localhost.

The problem here is that browsers and OSes try to implement privacy protection with sandboxing etc, with the policy that apps are allowed to persistently identify users but web sites aren't, and Meta and Yandex set up covert channels between their apps and web sites to violate that policy.

Protections like https://github.com/explainers-by-googlers/local-network-a... are not intended for this case (though they might fix it anyway, as a side effect): they're trying to e.g. prevent random web pages from accessing http://192.168.0.1/router.cgi?firewall=off in case the router manufacturer mistakenly assumes that any HTTP request from the local network must be from a trusted user and does not perform appropriate authentication.

Chrome's previous proposal (PNA) allowed local services to opt in to promptless cross-site requests (via the CORS pre-flight request), which wouldn't have blocked this covert channel since the Meta/Yandex apps could have just opted in. They say the main reason they dropped that in the new proposal is that it's much easier to add a permission prompt to one browser than to add the opt-in code to the many local services that currently rely on cross-site requests for legitimate purposes; it was for practicality and compatibility, not for improved security or privacy.

Exactly.

I am quite disappointed in the discussion here: several people suggest "fixes" like asking the user if application should be allowed to communicate, as if this is something that users are (or should be) able to decide, shifting the responsibility to the victims. We have enough mental issues in the world, let's not make paranoia mandatory to keep basic human rights.

Blaming users is completely backwards: it's Meta and Yandex who decided to spy on users to enrich themselves, and they should bear the responsibility instead. Put large fine on Meta and Yandex - large enough to erase all gains from this conduct - and send the executives responsible into a jail.

> setsid --fork systemd-run --user --scope --slice=no_localhost_net firefox; sudo bash -c "for dst in 127.0.0.1/8 0.0.0.0/32; do /usr/sbin/iptables -A OUTPUT -p tcp --destination \$dst -m cgroup --path 'user.slice/user-${UID}.slice/user@${UID}.service/no_localhost_net.slice' -j REJECT; done"; sudo bash -c "for dst in ::1/128 ::/128; do /usr/sbin/ip6tables -A OUTPUT -p tcp --destination \$dst -m cgroup --path "user.slice/user-${UID}.slice/user@${UID}.service/no_localhost_net.slice" -j REJECT; done";

Ugh... Well, some months ago I checked whether I can tell nft to filter loopback traffic by the two cgroups of the two participating sockets, but failed. Resorting to sudo is... a risk I don't want to take. Instead you can place it into a dedicated slice, and tell nft to filter on that cgroup.

> developers usually assume opening TCP ports on locahost (127.0.0.1/8, ::1/128) and in local networks (192.168.0.0, 169.254.0.0/16, fe80::/64 and all the others) is OK without any security or just some obfuscation

That‘s true on an operating system you control. You can deploy all sorts of tools to identify and reel in malware.

The problem here is that localhost belongs to the mobile OS, and the mobile OS is not controlled by you but by Google, Apple, or the device maker, and all those entities are engaging in a cat and mouse game with the legislator to pull as much info on you as possible to feed you scams and propaganda.

I’ve slowly come to the conclusion that targeted advertising in any form is evil and should be legislated away. It makes it all too easy to identify marks and slowly overwhelm their common sense with a barrage of ads, propaganda, and echo chamber effects (and conversely fly under the radar of society as a whole by feeding extreme content to select audiences that won’t condemn them). It enables police states. We are seeing the results of allowing this system today (both in the politics being pushed, and who pretends to the role of the puppet master today; see Palantir and Peter Thiel).

I don’t like a advertising as a whole but at least the lack of targeting in last century’s TV adverts prevented the promotion of “let’s kill you neighbour or classmate” messaging (because the neighbour or classmate would also see the same ads).