Wait... So any app with INTERNET permission can open a server on an Android phone? I hope I'm missing something here?
baby_souffle · 12h ago
Essentially, yeah.
Chromecast and Netflix have done this for a while now to facilitate some sort of hand-off.
I don’t have the details handy, but a few years ago I was `adb shell` into my device to debug something untreated and did a quick `netstat` and noticed a few ports that were open / did not expect. Tracked them down to Netflix, specifically.
merelysounds · 12h ago
Yes, this permission allows that. Docs say: “Allows applications to open network sockets.”[1], full description seems to be[2]:
> Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
Yes, I rely on this for my internal app to serve scriptlets to ublock origin. I hope they won't take it away, at least make it possible for the user to keep this behaviour..
I also rely on this for another internal app that opens a rsync server..
merelysounds · 12h ago
For iPhone users, the last point in the article’s FAQ addresses iOS; excerpt below:
> No evidence of abuse has been observed in iOS browsers and apps that we tested. That said, similar data sharing between iOS browsers and native apps is technically possible. (…) It is possible that technical and policy restrictions for running native apps in the background may explain why iOS users were not targeted by these trackers.
cosmic_cheese · 12h ago
It’d be difficult to make work reliably on iOS due to how it handles background processes. Processes can’t just hang around forever, they’re expected to quickly and efficiently finish their task and close until their next scheduled run (which is determined by the system — devs can request to run whenever they want, but processes that are badly behaved get downranked and run less often). If its task is taking too long the system unceremoniously kills the process.
This is limiting and makes implementing programs like Syncthing more challenging but also helps keep the battery eaters and eternal listeners until control.
dherls · 13h ago
Another scummy tracking move from Meta, shouldn't be surprised.
In general I think browsers should prevent websites reaching out to localhost without explicit opt-in from the user.
yvmash · 12h ago
omfg, just comfort yourselves that every sane company track and will track. they will. move on from this topic. it is not conspiracy theory. it is a sane way to make business. live with it.
zaptheimpaler · 10h ago
This article is a counterexample to the helplessness you advocate. This research forced Meta to stop doing it. There is no cosmic law that says they must track or that we have to allow them to do so.
margalabargala · 12h ago
I'm not required to give something up simply because a corporation decides they wish to take it.
Keeping tabs on how Meta et al are tracking people, allows those who care to avoid it.
You clearly don't care about what corporations are doing; why do you care so deeply what other people are doing about what corporations are doing?
gherkinnn · 11h ago
It is not a sane way. It is a drain on humanity. It is only done because it is allowed/accepted and that will not change by living with it.
wahnfrieden · 12h ago
Why do you support lawlessness when it's done by a business?
Is your position really that if there is a selfish motive, it justifies the crime - or only as long as it is done by elite businesses?
Why are you against calling it out such that we can protect ourselves from it? Meta immediately stopped this behavior once it was disclosed.
https://news.ycombinator.com/item?id=44169115
https://news.ycombinator.com/item?id=44182204
https://news.ycombinator.com/item?id=44235467
"Localhost tracking" explained. It could cost Meta €32B - https://news.ycombinator.com/item?id=44235467 - June 2025 (274 comments)
Meta found 'covertly tracking' Android users through Instagram and Facebook - https://news.ycombinator.com/item?id=44182204 - June 2025 (93 comments)
Meta pauses mobile port tracking tech on Android after researchers cry foul - https://news.ycombinator.com/item?id=44175940 - June 2025 (28 comments)
Covert web-to-app tracking via localhost on Android - https://news.ycombinator.com/item?id=44169115 - June 2025 (344 comments)
Chromecast and Netflix have done this for a while now to facilitate some sort of hand-off.
I don’t have the details handy, but a few years ago I was `adb shell` into my device to debug something untreated and did a quick `netstat` and noticed a few ports that were open / did not expect. Tracked them down to Netflix, specifically.
> Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
[1]: https://android.googlesource.com/platform/frameworks/base/+/...
[2]: https://android.googlesource.com/platform/frameworks/base/+/...
I also rely on this for another internal app that opens a rsync server..
> No evidence of abuse has been observed in iOS browsers and apps that we tested. That said, similar data sharing between iOS browsers and native apps is technically possible. (…) It is possible that technical and policy restrictions for running native apps in the background may explain why iOS users were not targeted by these trackers.
This is limiting and makes implementing programs like Syncthing more challenging but also helps keep the battery eaters and eternal listeners until control.
In general I think browsers should prevent websites reaching out to localhost without explicit opt-in from the user.
Keeping tabs on how Meta et al are tracking people, allows those who care to avoid it.
You clearly don't care about what corporations are doing; why do you care so deeply what other people are doing about what corporations are doing?
Is your position really that if there is a selfish motive, it justifies the crime - or only as long as it is done by elite businesses?
Why are you against calling it out such that we can protect ourselves from it? Meta immediately stopped this behavior once it was disclosed.
Also https://en.wikipedia.org/wiki/PRISM is not a conspiracy theory