Covert Web-to-App Tracking via Localhost on Android
a year ago
- #android
- #privacy
- #tracking
- Meta and Yandex use localhost sockets on Android to track users by linking web browsing data with app identifiers.
- This tracking method bypasses privacy protections like Incognito Mode, clearing cookies, and Android permission controls.
- Meta's Pixel script sends the _fbp cookie via WebRTC to native apps like Facebook and Instagram, linking web visits to user accounts.
- Yandex Metrica uses HTTP/HTTPS requests to localhost ports to share device identifiers like the Android Advertising ID (AAID).
- Both methods operate without user consent and can potentially expose browsing history to malicious apps.
- Meta Pixel is embedded on over 5.8 million websites, while Yandex Metrica is present on close to 3 million sites.
- Browser vendors like Chrome, Firefox, and Edge are implementing mitigations, but broader platform-level fixes are needed.
- No public documentation from Meta or Yandex explains this tracking method, raising transparency concerns.
- The tracking works even if users are not logged in, use Incognito Mode, or clear cookies.
- iOS users are not currently affected, but similar tracking could technically occur on other platforms.