home.social

#localmess — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #localmess, aggregated by home.social.

  1. Before anyone takes this as a discussion point pro #iOS...

    A few counterarguments on #LocalMess (#Facebook #Instagram #Yandex #LocalhostTracking), why this would make #Android worse than #iOS:

    This vulnerability seems to only have existed on Android, but not everyone would need to be affected by it.

    I see #GrapheneOS as a perfected form of the Android idea (stripping the #Advertising and Tracking from it, and adding needed extensions to the permission system).

    1. #AdBlock and #Tracking Blocking on Android is easy.

    Use a Browser like #Ironfox with #UBlockOrigin in advanced mode, and block known tracking Javascript that way.

    Solved, no #Metapixel, #GoogleAnalytics, #YandexMetrica, #CloudflareInsights and whatever else exists out there. It is blocked from loading or executing, so it can't listen on your localhost either.

    2. Disabling apps

    Android has 3 ways to isolate and disable apps. Note that due to this working on localhost, and all user profiles sharing the same localhost, the isolation is worthless here. Only the ability to disable apps is of value.

    A: User profiles. Only nice to use on GrapheneOS, but they need barely any storage space and offer the strongest isolation. All data is separately encrypted too so using the same Pin is fine (if your threat is not people seeing your pin)

    B: The #PrivateSpace. A new Android feature which allows having a separate nested profile within the main one. You can enable it in the settings, enable auto-lock when turning off the screen, add other restrictions. You can toggle it on and off in the app drawer.

    C: The #WorkProfile. This is a pretty old feature, intended to grant your employer control over a nested user profile, but giving you the control to turn it on or off.

    When using it alone you need a companion app like #Shelter or #Island, and due to the design this app has full potential control over that profile (so it should be really trusted!).

    Work profiles take up a lot of space, but integrate the best into the system (easily accessible, icons can be placed on the home screen).

    D: Disabling apps. Android only supports this for system apps. GrapheneOS also allows this for any app but the UI is not great (Androids fault), as apps disappear from the home screen and app drawer. They can be enabled again in the settings.

    #CalyxOS has a nice toggle that is very easy to use. Apps do not disappear from the homescreen but appear disabled. This is the easiest way to stop apps from running.

    ---

    GrapheneOS also has support for "private spaces" within separate user profiles, which makes the switching faster and easier.

    All these nested or separate profiles use the same localhost (local network), but by turning them off you can fully disable the apps that would serve the cookies used for this method.

    3. (Progressive) #Webapps.

    While iOS has blocked this feature for years, locking developers to their pricey and walled #AppStore, on Android every Website in your browser can be used like a native app.

    #Meta ironically blocks this aggressively, locking Video Playback and more to "their App™". Other apps like #GoogleMaps, #TikTok or #Shitter annoy you with popups, and offer often reduced versions, but they work.

    Normal websites like #Discourse forums work just fine.

    Webapps are WAY more isolated, cannot and execute random code, everything goes through your browser and the blocklists and restrictions you control.

    Using only one of these isolation methods will break any future exploit with this method.

    They allow Android users to restrict, disable or confine untrusted apps.

    GrapheneOS stays secure and private.

    Hopefully the "app disabling" from Calyx will be included soon.

    #PWAs

  2. Wenn ihr so etwas wie Instagram oder Facebook auf dem Handy nutzt, dann verwendet bitte _niemals_ die Apps. Installiert euch Fennec mit uBlock Origin. Wie das geht habe ich hier erklärt:

    youtube.com/watch?v=a5-qV6OUV_
    spacefun.ch/linux-videos#andro

    #localmess #tracking #surveillance #blackhatcapitalism

  3. Companies are pushing non-stop for users to move from web apps to phone apps. They justify the push saying phone apps are more secure. But that's a blatant lie. They want you to move to phone apps so they have a lot more control over you, and can drain a lot more information about you. The recent #LocalMess misbehavior from #Meta is just one more example showing this: if you install their app, the OS will allow them doing many things the web browser won't. localmess.github.io/

  4. "Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts."

    localmess.github.io/

    #LocalMess #Meta #Yandex #Android

  5. #Zuckerberg’s privacy pledge revealed as ineffectual

    Millions of websites are leaking your private information to #Meta, the parent company of #Facebook, #Instagram, etc. By hacking #Android browser features in ways that were never intended, Meta is tracking you all the way around the web—with no disclosure nor oversight.

    Incognito mode doesn’t stop it; neither does blocking 3rd-party cookies. Russian social giant #Yandex is doing it too.

    As soon as researchers disclosed the #LocalMess problem, Meta stopped it—for now. In #SBBlogwatch, we go live in a cave.

    securityboulevard.com/2025/06/

  6. #localmess
    Meta/Facebook Pixel sharing from web to Meta Android apps

    > Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.

    > The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.

  7. "We found that native #Android apps—including #Facebook, #Instagram, and several #Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes." #localmess localmess.github.io/

  8. La pillada que le acaban de hacer a Meta espiando y desanonimizando a usuarios de Android es tremenda. Ojalá se lleven una multa descomunal, pero dudo que eso pase o si pasa dudo que valga para cambiar nada. Poca opción nos queda como usuarios más allá de dejar de usar aplicaciones de este tipo de empresas y bloquear todos los trackers que podamos en las webs que visitemos.

    localmess.github.io/

    #privacidad #facebook #localmess #meta #android