How to do local services safely

Posted Jun 11, 2025 18:14 UTC (Wed) by mathstuf (subscriber, #69389)
In reply to: How to do local services safely by xav
Parent article: Covert web-to-app tracking via localhost on Android

Can't Android know what app/activity is on the other end of that socket and make a nice "Do you want $BROWSER to be able to interact with the $INVASIVE_AD_TROJAN app?" permission rather than mentioning anything like "localhost" or a random port number?

How to do local services safely

Posted Jun 11, 2025 21:18 UTC (Wed) by fraetor (subscriber, #161147) [Link] (7 responses)

I can't remember where I saw it, but "a user shouldn't be able to opt-in to insecurity."

In the case of this specific proposal, perhaps you don't mind facebook.com in your browser talking to the Facebook app, but would for other origins.

Various cross-site request forgery prevention mechanism exist to prevent a random site from affecting another site, but in this case the localhost server wants to be affected, which means you would have to prevent the entire request.

A static permission on the app sounds like a sensible step, as it would allow app store review to catch malicious code while still allowing origins to opt-in.

How to do local services safely

Posted Jun 12, 2025 5:29 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

Sure, setting up the socket should *also* have a permission. But just because the socket is up doesn't mean I want any app/website to communicate with it at any time.

How to do local services safely

Posted Jun 15, 2025 16:26 UTC (Sun) by KJ7RRV (subscriber, #153595) [Link] (5 responses)

Couldn't this be a browser-level permission given to Web sites, rather than an OS-level one given to the browser?

> Do you want to allow facebook.com/legit-site-with-ads.com/sketchy-site.com to connect to the Facebook app on your phone? Tap "Deny" unless there is a clear reason that you understand why this is needed, because this can enable trackers to break privacy protections and see your activity across the Internet.

> [Protect my privacy: *Deny*]
> [I understand the risk; *Allow*]

How to do local services safely

Posted Jun 15, 2025 16:47 UTC (Sun) by mathstuf (subscriber, #69389) [Link] (4 responses)

How is the browser supposed to know what app is behind `localhost:12345`?

How to do local services safely

Posted Jun 15, 2025 17:40 UTC (Sun) by notriddle (subscriber, #130608) [Link] (2 responses)

https://www.man7.org/linux/man-pages/man8/lsof.8.html

How to do local services safely

Posted Jun 15, 2025 18:44 UTC (Sun) by mathstuf (subscriber, #69389) [Link] (1 responses)

Sure…but is that reliable on Android?

How to do local services safely

Posted Jun 15, 2025 19:11 UTC (Sun) by johill (subscriber, #25196) [Link]

IIRC each app install gets its own UID, so all it needs to identify is the UID of the listening socket. Should be really simple to do especially on a tightly controlled system like Android.

How to do local services safely

Posted Jun 16, 2025 8:46 UTC (Mon) by farnz (subscriber, #17727) [Link]

The system as a whole knows (if nothing else, the kernel knows the process that's got the socket open), and thus Android could provide an API that maps from local socket to Android application that has the socket open.

If I were implementing this, I'd implement two things:

An API that takes a struct sockaddr_t, and tells you the listener's identity - either a local identifier, or "not a loopback socket/pipe".
An API that takes an fd, and tells you either the listener's identity, or "not a loopback socket/pipe".

With this in place, API 1 lets the browser prompt you before you connect. API 2 lets the browser drop the connection and warn the user that the applications identified by API 1 and API 2 are potentially malicious before transferring data, thus deterring "clever" ideas around transferring a socket between applications.