[FEATURE] Request to block localhost connections #1421
Description
The problem (can we call it a security issue?)
You may have heard about the recent "localhost tracking" scandal, but if not, here's a summary: when you navigate in incognito mode, this would normally hide your username from ad suppliers such as meta, but they have overcome this limitation as follows:
- When you visit a website that has ads, the ad supplier runs javascript in it
- The script from the ads sends an ajax request to localhost to a port that they know
- Apps from the ad supplier (e.g. facebook, instagram) open that port, listen to the ajax request and respond with your username
- The script in the ad gets your username and sends it to their servers/cloud
That way ad suppliers such as meta can show targeted ads and track the websites you visit even in incognito mode. So far meta and yandex are known to use this trick but who knows how many others are doing it or willing to implement it in the near future. And you can't know in advance if a website has ads ran by these companies.
Additional context
I have just ran a test and can confirm that removing the "LAN" permission from the web browser in AFwall+ does not prevent it from connecting to localhost. The test I ran was:
- Removed LAN permissions from both the web browser and termux and reapplied rules
- Opened termux
- Installed netcat-openbsd
- Typed: nc -l -p 8080
- On the web browser on the phone, navigated to http://127.0.0.1:8080
Result: the HTTP request from the browser was visible on the termux screen even though LAN permissions had been removed from both termux and the browser using AFwall+. Ads in websites you visit can do it at any time.
Proposed solution
Just like AFWall+ proposes several checkboxes for each app, I'd like to request one more to be added: "localhost". If I uncheck it, connections to the loopback address from this app should be blocked. (It is ok to show this checkbox only if enabled from preferences -> rules/connectivity).
This must be on a per-app basis like all the others because globally blocking loopback connections is known to cause issues in Linux and most likely would also cause them on Android.
Describe alternatives you've considered
I could raise a feature request for the web browser to block ajax requests to localhost, but that would only work for a particular app. A solution at the AFWall+ level would work for any app that needs to be blocked this way.
Ad blockers are also an alternative, but ad suppliers always find a workaround, then ad blockers are updated... it's a cat and mouse problem. Blocking it in AFWall+ would be remarkably more effective.
Thanks in advance