boredsquirrelBefore anyone takes this as a discussion point pro #iOS...
A few counterarguments on #LocalMess (#Facebook #Instagram #Yandex #LocalhostTracking), why this would make #Android worse than #iOS:
This vulnerability seems to only have existed on Android, but not everyone would need to be affected by it.
I see #GrapheneOS as a perfected form of the Android idea (stripping the #Advertising and Tracking from it, and adding needed extensions to the permission system).
1. #AdBlock and #Tracking Blocking on Android is easy.
Use a Browser like #Ironfox with #UBlockOrigin in advanced mode, and block known tracking Javascript that way.
Solved, no #Metapixel, #GoogleAnalytics, #YandexMetrica, #CloudflareInsights and whatever else exists out there. It is blocked from loading or executing, so it can't listen on your localhost either.
2. Disabling apps
Android has 3 ways to isolate and disable apps. Note that due to this working on localhost, and all user profiles sharing the same localhost, the isolation is worthless here. Only the ability to disable apps is of value.
A: User profiles. Only nice to use on GrapheneOS, but they need barely any storage space and offer the strongest isolation. All data is separately encrypted too so using the same Pin is fine (if your threat is not people seeing your pin)
B: The #PrivateSpace. A new Android feature which allows having a separate nested profile within the main one. You can enable it in the settings, enable auto-lock when turning off the screen, add other restrictions. You can toggle it on and off in the app drawer.
C: The #WorkProfile. This is a pretty old feature, intended to grant your employer control over a nested user profile, but giving you the control to turn it on or off.
When using it alone you need a companion app like #Shelter or #Island, and due to the design this app has full potential control over that profile (so it should be really trusted!).
Work profiles take up a lot of space, but integrate the best into the system (easily accessible, icons can be placed on the home screen).
D: Disabling apps. Android only supports this for system apps. GrapheneOS also allows this for any app but the UI is not great (Androids fault), as apps disappear from the home screen and app drawer. They can be enabled again in the settings.
#CalyxOS has a nice toggle that is very easy to use. Apps do not disappear from the homescreen but appear disabled. This is the easiest way to stop apps from running.
---
GrapheneOS also has support for "private spaces" within separate user profiles, which makes the switching faster and easier.
All these nested or separate profiles use the same localhost (local network), but by turning them off you can fully disable the apps that would serve the cookies used for this method.
3. (Progressive) #Webapps.
While iOS has blocked this feature for years, locking developers to their pricey and walled #AppStore, on Android every Website in your browser can be used like a native app.
#Meta ironically blocks this aggressively, locking Video Playback and more to "their App™". Other apps like #GoogleMaps, #TikTok or #Shitter annoy you with popups, and offer often reduced versions, but they work.
Normal websites like #Discourse forums work just fine.
Webapps are WAY more isolated, cannot and execute random code, everything goes through your browser and the blocklists and restrictions you control.
Using only one of these isolation methods will break any future exploit with this method.
They allow Android users to restrict, disable or confine untrusted apps.
GrapheneOS stays secure and private.
Hopefully the "app disabling" from Calyx will be included soon.
Danny Garside
Lioh
Chris-fiddler
doragasu
Ilario
Guardian Project
रञ्जित (Ranjit Mathew)