Disclosure: Covert Web-to-App Tracking via Localhost on Android
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
pull down to refresh
related posts
0 replies \ @0xbitcoiner OP 4 Jun
Meta Pixel halts Android localhost tracking after disclosure #996854
reply
0 sats \ 1 reply \ @lrm_btc 3 Jun
I have been wondering why I keep seeing targeted ads, despite having all those settings off on all apps I use...
reply
0 sats \ 0 replies \ @0xbitcoiner OP 3 Jun
Never, ever underestimate the power and smarts of these big tech companies! Their whole money machine runs on the info they have about internet users.
reply