undefined | Better HN

0 pointsGigachad3y ago0 comments

Care to provide an example of an ios app which can read the data from other apps when they shouldn't?

0 comments

dcow3y ago

1. Android and iOS sandbox applications. But if I grant permission, a mobile app can read files from my photos, or documents, SD card on Android, etc. folders. I can even ship a mobile Safari extension on iOS.

2. Desktop platforms do not universally sandbox applications (though they are trying). You can install a desktop app that steals all the data in your home directory, including your entire browsing history, with no permission dialog whatsoever.

3. That aside, browsers sandbox extensions just like mobile applications. One extension cannot access another extension's data.

4. Furthermore, by default, a browser extension can only access content from its own origin. It is in fact sandboxed from the rest of the sites you visit.

5. If the user grants permission, a browser extension may access other sites.

So in short, browser extensions are in fact sandboxed.

And your idea of mobile apps accessing data is entirely dependent on the qualifier "when they shouldn't", which, arguably if given permission, they should so it's a moot point.

GigachadOP3y ago

The shared data on ios and android isnt all that important. Sure, you might not want a random app to read your photos, but it's not getting access to your bank session token. And these days you can grant apps to only specific photos.

The vast majority of extensions require the ability to read and modify the dom on any website to do anything. This is so much worse than the average app permissions.

dcow3y ago

An extension can read another origin’s secure cookies? That’s news to me.

djbusby3y ago

I don't think it goes that far but a while ago the Twitter app was somehow polling for registered request handlers and discovering what other apps were installed. Not their data, but their presence, to profile their own users.

j / k navigate · click thread line to collapse

0 comments

dcow3y ago

3. That aside, browsers sandbox extensions just like mobile applications. One extension cannot access another extension's data.

4. Furthermore, by default, a browser extension can only access content from its own origin. It is in fact sandboxed from the rest of the sites you visit.

5. If the user grants permission, a browser extension may access other sites.

So in short, browser extensions are in fact sandboxed.

And your idea of mobile apps accessing data is entirely dependent on the qualifier "when they shouldn't", which, arguably if given permission, they should so it's a moot point.

GigachadOP3y ago

The vast majority of extensions require the ability to read and modify the dom on any website to do anything. This is so much worse than the average app permissions.

dcow3y ago

An extension can read another origin’s secure cookies? That’s news to me.

djbusby3y ago

j / k navigate · click thread line to collapse