Letting webpages start native apps
Reported by
ivan.kuc...@gmail.com,
Nov 25 2016
|
||||
Issue descriptionSteps to reproduce the problem: 1. In the Chrome for Android, go to http://m.facebook.com 2. Log in to your Facebook account and click on the message icon. What is the expected behavior? You should be able to use the mobile version of messaging. What went wrong? Chrome starts a native Messenger app, or Google Play to download the Messenger app. Even if you close it and return back to the browser, you can't use it, because Chrome will switch you to the Google Play again, every time you try to do something. Did this work before? N/A Does this work in other browsers? Yes Chrome version: 54.0.2840.99 Channel: stable OS Version: Flash Version: I don't know what API is used for starting native apps from the browser. But webpages should not be able to start native apps so easily. There is a security risk - if you have some app installed, the website can identify you and track you through switching to the native app, even if you try to act anonymously on the web. In Firefox for Android, this does not happen.
,
Nov 28 2016
*request And the user can usually choose to always use that application without being asked in the future.
,
Nov 28 2016
Oh, another way is to use the intent URL syntax - https://developer.chrome.com/multidevice/android/intents Come to think about it, Faceook is probably using that.
,
Nov 28 2016
(Sorry for the spam) And if it does use the intent URL syntax, it cannot know whether the application is installed (unless it is their application, obviously, in which case they can signal using an HTTP request or something) or not , so no real security or privacy risk. (Unless the native application lets you pay immediately by using an intent, without any confirmation, which makes it a security risk of the native application, not the browser)
,
Nov 28 2016
"the user is usually presented with an option to view the URL in the browser, or use the native application instead" ... "And the user can usually choose to always use that application without being asked in the future." I don't remember allowing Chrome to open any native applications. They start automatically. I can't even find a way to forbid it in Chrome :( Are these intent URLs a standardized web thing? Or Android is making webmasters to make Android-dependent websites? "it cannot know whether the application is installed" Should that make me happy, that you don't give the full list of all my installed apps to every webpage? Thansk! :D I was talking about cases, when a webpage tries to start a native app without knowing for sure, that such app is present. If it is, then the native app, that knows your credentials, may contact the server, that you are logged in. The server will match these credentials with your IP address (or simply by comparing the timestamps of requests from the browser and from the native app) and let the website know, that it is you. That is a security risk. No native apps should be allowed to be started from the browser, without a user allowing it explicitly.
,
Nov 28 2016
I think Safari allows this as well (I understand it does not necessarily make this right). I am not sure Hotlist-Interop is related here, but I am keeping it just in case.
,
Dec 14 2016
,
Nov 1 2017
Much like this bug: https://bugs.chromium.org/p/chromium/issues/detail?id=698470#c8 This is up to Facebook to determine how links are handled, and they choose to have the messenger app be the only supported way for interacting with it. This would require a policy change at Facebook and not something Chrome will be able to handle. |
||||
►
Sign in to add a comment |
||||
Comment 1 by phistuck@gmail.com
, Nov 28 2016