app permissions: how reliable are they?

vtek

Is it possible for an app to gain permissions that aren't disclosed to the OS?

I recall reading about the Facebook/Meta app a few months ago where the app was able to gain access it shouldn't have had by leveraging a connection to localhost as i recall. I don't recall the details, but it seemed like a novel way of breaching its boundary.

mr_r0bot

vtek The app sandbox is fairly robust. Apps only have the APIs available to them.

I believe the incident you are referring to was Meta's use of a web server embedded in their mobile apps bound to localhost. This was then called by the MetaPixel tracker on any website hosting it. This did not break the app sandbox, but it did allow for very invasive web tracking.

Murcielago

vtek

I don't recall the details, but it seemed like a novel way of breaching its boundary.

The covert Web-to-App Tracking via Localhost on Android was/is called "Local Mess".

Meta and Yandex were caught misusing unvetted access to localhost sockets which allowed JavaScript embedded on websites to share identifiers and browsing habits with native Android apps.

More details can be found here: https://localmess.github.io/#description

vtek

Thanks for the info guys.

Murcielago ... which allowed JavaScript embedded on website ...

Another good reason to default-disable JS.

userofgos

For reference, here's the thread about Meta and Yandex: https://discuss.grapheneos.org/d/22889-meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers