In general? No. Listen to @k00b and switch to signal.
Regarding this particular issue, I tried whatsapp on an avm the day the method was exposed but didn't find it to have these listening ports. However, they removed the feature within 24h after exposure so I may have been too late.
Its interesting that I've been hearing radio commercials for Whatsapp lately. Anyone that trusts Meta is a fool. I'm not saying anyone that uses anything they own is a fool but you better know what you are dealing with.
Brave browser does prevent this by default, at least this is my understanding. It does seem like a good browser security default would be to block remote sites from calling localhost. I am sure there are sites this would break but it could warn you that a site attempted this and allow you to allow it.
I was gearing up to test this when i made an addressing error. Turns out it even blocks "cross-site" from http://127.0.0.1 to http://localhost from the same tcp port.
Android is pretty liberal with backgrounding relative to iOS. It's iOS that needs notifications to do anything meaningful in the background.
I suspect Android lets these sockets stay open as long as they're for something specific - in this case it looks like WebRTC might be allowed so they "munge" the cookie in:
The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
If not installing the Meta apps, it is the same if you log in through a mobile browser, it tracks your browsing, right? So, either way, they track your browsing history.
Is the only way to sandbox these mobile platforms to never log-in?
Meta devised an ingenious system (“localhost tracking”) that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session.
Is WhatsApp safe?
Asking for a friend...
In general? No. Listen to @k00b and switch to signal.
Regarding this particular issue, I tried whatsapp on an avm the day the method was exposed but didn't find it to have these listening ports. However, they removed the feature within 24h after exposure so I may have been too late.
🤔
view on njump.meCorrect. This has been known for years. Here's a reddit post from 5 years ago.
https://old.reddit.com/r/signal/comments/kslslw/data_collection_comparison_of_signal_imessage/
Image:
Its interesting that I've been hearing radio commercials for Whatsapp lately. Anyone that trusts Meta is a fool. I'm not saying anyone that uses anything they own is a fool but you better know what you are dealing with.
I'm so happy I've been off these platforms for almost a decade, though I still much depend on WhatsApp... Signal is definitely the way.
Thank you!
use signal?
Its pretty interesting how this works
Yep, so clever that it's simple.
Brave browser does prevent this by default, at least this is my understanding. It does seem like a good browser security default would be to block remote sites from calling
localhost. I am sure there are sites this would break but it could warn you that a site attempted this and allow you to allow it.I was gearing up to test this when i made an addressing error. Turns out it even blocks "cross-site" from
http://127.0.0.1tohttp://localhostfrom the same tcp port.I couldn't really understand how it works, but I did understand that Meta is full of assholes
Ugh they're just the worst
that's spyware... i am a bit surprised android doesn't freeze sockets of background apps.
Actually, doesn’t it? Wasn’t the whole notification trick to keep the app alive necessary to prevent Android from killing sockets?
Android is pretty liberal with backgrounding relative to iOS. It's iOS that needs notifications to do anything meaningful in the background.
I suspect Android lets these sockets stay open as long as they're for something specific - in this case it looks like WebRTC might be allowed so they "munge" the cookie in:
If not installing the Meta apps, it is the same if you log in through a mobile browser, it tracks your browsing, right? So, either way, they track your browsing history.
Is the only way to sandbox these mobile platforms to never log-in?
yes
Thanks. Just wanted to be sure of that.
I don't know what good a ten percent fine will do every user, but I guess at least it'll force Meta to re-engineer their surveillance stack.
iPhone users marked safe from Meta’s attack.