Meta and Yandex are de-anonymizing Android users’ web browsing identifiers

ignoramous

GrapheneOS GrapheneOS has protected against this WebRTC privacy issue in Vanadium for years

Curious: Would turning ON (on Android 11+) VPN Lockdown mode ("Block connections without VPN") prevent the technique used by Meta (which is prevented if Chrome couldn't bind to all interfaces)?

Does the loopback (127/8) traffic go through the TUN device when VPN is in Lockdown mode?

ryrona Web sites are not supposed to be able to communicate with installed apps on your device in any way at all.

This has never been true (see: deeplinks, as one example)?

ryrona

ignoramous Curious: Would turning ON (on Android 11+) VPN Lockdown mode ("Block connections without VPN") prevent the technique used by Meta (which is prevented if Chrome couldn't bind to all interfaces)?

No. Loopback data never goes through the VPN, since loopback data is not destined to go out on any network ever, only stay locally on the same device.

ignoramous Does the loopback (127/8) traffic go through the TUN device when VPN is in Lockdown mode?

No.

DeletedUser313

ryrona

I was referring to user tracking through IP addresses, that doesn't seem like an attack to me

ryrona

DeletedUser313 I was referring to user tracking through IP addresses, that doesn't seem like an attack to me

Ah, okay. I misunderstood what you were referring to. I agree that is not an attack, and that there is a well-known solution to that tracking, using a VPN.

ignoramous

ryrona Loopback data never goes through the VPN, since loopback data is not destined to go out on any network ever

Strangely, on Android 14, when I try ping localhost from Termux, I see Rethink reciving those ICMP echos but as coming from the underlying network's interface (and not lo).

The technique employed by Meta (not Yandex) not rely on binding to ALL interfaces and not just lo? At least, that's what I understood from GrapheneOS' communication on Mastodon (link).

Either way, we intend to experiment this ourselves in the coming days: https://github.com/celzero/rethink-app/issues/1964

ignoramous

ignoramous Either way, we intend to experiment this ourselves in the coming days: https://github.com/celzero/rethink-app/issues/1964

An update: On Android 15, in our preliminary testing, under no circumstance ("Block connections without VPN" turned ON/OFF, Allow Bypass turned OFF/ON, server app included in the tunnel but client app is outside the tunnel and vice versa) is loopback traffic between apps sent to the TUN device (this means, VPN apps that double-up as a "firewall" do not have visibility into loopback).

ryrona

ignoramous Strangely, on Android 14, when I try ping localhost from Termux, I see Rethink reciving those ICMP echos but as coming from the underlying network's interface (and not lo).

Try "ping 127.0.0.1" instead. "localhost" is a domain name, so might get resolved by the regular DNS resolver. It should always resolve to 127.0.0.1, but just to be certain, better write the IP address.

ignoramous The technique employed by Meta (not Yandex) not rely on binding to ALL interfaces and not just lo? At least, that's what I understood from GrapheneOS' communication on Mastodon (link).

I don't think they bind to any interface. I haven't read it in details what Meta did, but as I understood it, they use the peer-to-peer protocol WebRTC built into most web browsers, and then claim to be 127.0.0.1 at some port number, and then ask to make a peer connection to them. If the web browser goes ahead to that without realizing that isn't a globally routable IP address, the web browser would connect to the Meta app running locally on the device at that port number.

ignoramous On Android 15, in our preliminary testing, under no circumstance is loopback traffic between apps sent to the TUN device

Yeah, it shouldn't be. It is intended to always stay local to the device. But thanks for testing and confirming.

argante

ryrona Try "ping 127.0.0.1" instead. "localhost" is a domain name, so might get resolved by the regular DNS resolver. It should always resolve to 127.0.0.1, but just to be certain, better write the IP address.

The connection can be made in several ways: localhost (domain), 127.0.0.1 (local address), but you can also use the device's network address or even just the MAC address (even if it is random, but the spy application will be able to obtain it). With this MAC address, I don't know how feasible it is on GOS - such things are done, however, if you want to reduce latency in the local network (eg HTF).

cuckflared

Does the tracking occur also when Facebook app is not currently running in the background? But then how would it be able to listen for incoming connections?

ryrona

cuckflared Does the tracking occur also when Facebook app is not currently running in the background?

Probably not, but there is no reliable way to prevent an app from running in the background, other than disabling it completely.

cuckflared

ryrona Is the "Active apps" list a reliable place to check if an app is running or it's possible for an app to cloak itself?

gvprtskvni

ryrona but there is no reliable way to prevent an app from running in the background, other than disabling it completely.

Even if the profile the app is on is inactive and not allowed to run in the background?

ryrona

cuckflared Is the "Active apps" list a reliable place to check if an app is running or it's possible for an app to cloak itself?

No, I wouldn't trust that to be reliable. Also an app may start and then shut down again, and then start again a little bit later. This is normal behavior to allow eg messaging apps to check for new messages.

GrapheneOS

cuckflared ryrona Active apps is only about apps running a foreground service, not limited background execution.

cuckflared

ryrona Ok, thank you for your replies!

GrapheneOS

Vanadium already prevents both vectors being abused in the default configuration and we plan to add a per-app toggle for loopback access in the near future. Android 16 is adding a private network toggle for apps opting into previewing it and we can make it available for all apps as an opt-in feature.

DeletedUser433

GrapheneOS Can Vanadium still access the network while in the background? If I want to change the server of my vpn for example, could there be a leak if I do it without force stopping Vanadium first

anon1

Hahaha!! I raised this issue with privacy forums years ago, for browsers and for Graphene both, and no one cared. Now suddenly the caring has started yes.
I raised an issue before on limiting loopback address access to graphene github before, and I got shot down.
This person also raised this issue and they were shot down. now suddenly it needs to be fixed
https://github.com/GrapheneOS/os-issue-tracker/issues/4768

DeletedUser370

anon1 Hahaha!! I raised this issue with privacy forums years ago, for browsers and for Graphene both, and no one cared. Now suddenly the caring has started yes.
I raised an issue before on limiting loopback address access to graphene github before, and I got shot down.

Are you in a position to link to these reports? I feel that being able to read the reports and their replies would help other people to determine for themselves whether or not the replies constituted "non-caring".

matchboxbananasynergy

anon1 Dealing with loopback has been something we've wanted to do for a very, very long time. However, it is a very invasive change which is best done upstream. They are unlikely to do it so we will eventually have to take it on, but it won't be easy.

To substantiate what I'm saying, here's a post from March 2023 where we express that this is something we want to implement in the future:

https://x.com/GrapheneOS/status/1636042803623997440

Your attitude is unproductive and I would like to ask you to tone it down. It's completely unhelpful.

P.S. What meta was doing didn't work on Vanadium by default, and both ways are patched at the moment.

de0u

anon1 This person also raised this issue and they were shot down.

The original issue, describing the situation as a "security domain bypass", was closed and replaced by another issue, which is still open. Personally, if I filed an issue about something and it were replaced by an issue opened by a developer I wouldn't score that as "shot down", since issues opened by a developer are more likely to be addressed.

anon1 now suddenly it needs to be fixed

My understanding is that the avenues used by Yandex and Meta can be closed without reworking the loopback interface problem, and have been.

Meanwhile, if somebody is in a position to contribute code that would resolve the loopback issue, I suspect it would be of interest. It's less clear how the project benefits from recriminatory posts.

Please note that I do not speak for the GrapheneOS project.

« Previous Page Next Page »