Legit question. ChatGPT isn't super helpful here since it agrees with everything when I'm really looking for someone to say why this isn't really feasible in the real world.
This is at least true for Windows and most traditional (X11 at least) *nix systems.
That is one thing I think Android got right... by default it runs every application as a different user. That means different home folders and no visibility into other apps.
Permissions are difficult to get right, and Android is unfortunately pretty slow to react.
Can’t tell if serious or not [1]. Also any program can read any saved password out of Windows Credential Manager.
I'm not sure if we'll get away from these anytime soon as any out of the box solution will inherently limit the user's freedom that has persistently been there for decades on PCs
The way privilege escalation works on Windows is that pretty much everything gets launched with a standard user access token by default, and processes can request an admin access token in a few ways, UAC being the main one. When a process is supplied that token, that process is elevated.
It is more akin to 'sudo' rather than 'su', which makes sense because its progenitor is 'runas' from Windows 2000.
From an API point of view, only one process is elevated. From a security point of view, if one process is elevated they all are, due to a lack of any effective mechanism that actually stops them.
I do fully agree that desktop OSes are a legacy security model and they can't hold a candle to that of iOS. Android is getting there, but because it also started from mostly an open all-access model it's been having the same warts.
not that windows is keeping passwords in plaintext, but that it's not immediately obvious that un-sandboxed apps that run on your windows/linux/mac desktop have virtually unlimited other avenues to capture passwords given they can read the entire state of other windows at the very least.
I dunno maybe macos is slightly better, and wayland definitely has some things which are better about this, but desktop os and $locally_installed_app means $locally_installed_app basically has root, there is just an exploding amount of vectors.
I'd like to see a linux based distrubution use some of the sandboxing in Android, it would be a order of magnitude improvement over what is going on now.
There are functions EnumWindows() and EnumChildWindows() specifically for this purpose.
See utilities "Windows Modifier v2.00" (when I first downloaded it there were many pages about it, but it's a sign of how forgetful the Internet has become that I barely get any results about it now even searching for that exact name) and Microsoft's own Spy++ (SPYXX.EXE) for an example of this functionality.
The solution to an app you don't trust is to not use it at all, or use it in a VM.
Although not terribly accurate (because of the high variability of page titles), tools like ManicTime and ActivityWatch use windows titles to track your browser history if you don't install the browser plugin.
A solution is to not use third party apps but most people aren't going to go that route. The VM idea is a good option though.
Because this architecture predates the existence of the current privacy nightmare.
In fact it predates the general availability of the internet. How could a program you would install from a floppy/compact disk bought on a store behave maliciously if you didn’t or barely had access to the internet ?
And then it stayed like this because Windows is heavily marketed as being retro compatible.
Oh, and the UAC confirmations to elevate your apps permissions to root? People will gleefully confirm them without reading what needs access anyway, so you’re golden to do whatever you want.
The security model of Windows doesn’t exist.