Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can this cross profiles? That would be a big security issue for corps.

Quick test and if I serve on 8080 on the Userland app it can be accessed from both profiles. So probably yes.

This means an infected app on your personal profile could exchange data with a site visited from a second profile.



Only if that site specifically communicates with an (unauthenticated) service bound to a local port though, right?


Which, per the OP, the site would be doing by merely including the Meta pixel, which practically every e-commerce and news site does to track its campaigns and organic traffic.

The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity in that app for an unknown amount of time. And even with the tracking code deactivated, cookies may still persist on those secondary profiles that still allow for linking future activity.


Yes, but if the concern is not mixing business and personal compartment of the phone, business sites would hopefully not embed a Meta tracking pixel.

> The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity

Definitely, and that's a huge problem. I just don't think Android business profiles are a particular concern here; leaking app state to random websites in any profile is the problem.

Or do Android "business profiles" also include browser sessions? Then this would be indeed a cross-compartment leak. I'm not too familiar with Android's compartment model; iOS unfortunately doesn't offer sandboxing between environments that way.


While I agree with your reasoning, in my experience any statement where I prepend "hopefully" usually ends up being the worst possible interpretation in practice.


What I mean is: If a corporate internal website regularly connects to unauthenticated local ports and leaks sensitive data out, that's fully on them.

If they are trying to fingerprint the "private compartment" of a BYOB device, that seems roughly as bad as a non-corporate side doing the same.


100% agree, and fingerprinting BYOB devices would be problematic in a lot of ways.

I'm generally against BYOD programs. They're convenient but usually come from a place of allowing employees access to things without the willingness to take on the cost (both in corp devices and inconvenience of a second phone/tablet/whatever) to run them with a high level of assurance.

Much better in my opinion to use something like PagerDuty or text/push notifications to prompt folks to check a corp device if they have alerts/new emails/whatever.


You can easily click a link e.g. to a blog post on Chrome inside your profile.

E.g. a Jira ticket links to a post on how to do something concurrency related in Python.

I get your point thought that maybe this is no worse than if they visit the site on the personal side.

However I wouldn't trust out lack of imagination on how to exploit this to be happy about the security gap!


> do Android "business profiles" also include browser sessions

I believe that is typical.

My business profile has it's own instance of Chrome. Mostly used for internal and external sites that require corporate SSO or client certificates. Of course it could be used to browse anything.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: