Meta and Yandex Disclosure: Covert Web-to-App Tracking via Localhost on Android
11 days ago
- #Android
- #privacy
- #tracking
- Meta and Yandex use localhost sockets on Android to track users by linking web browsing data with native app identifiers.
- This tracking method bypasses privacy protections like Incognito Mode, cookie clearing, and Android permissions.
- Meta's Pixel script sends the _fbp cookie via WebRTC to Facebook and Instagram apps listening on specific UDP ports.
- Yandex Metrica script sends HTTP/HTTPS requests to localhost ports, collecting device IDs and linking them to web activity.
- Both methods operate without user consent, even on sites without explicit cookie consent forms.
- Malicious apps can eavesdrop on browsing history by listening to the same localhost ports used by Meta and Yandex.
- Meta Pixel is embedded on over 5.8 million websites, while Yandex Metrica is present on close to 3 million sites.
- Browser vendors like Chrome, Firefox, and Brave have implemented or are developing mitigations against this tracking method.
- No public documentation from Meta or Yandex explains this tracking technique, raising transparency concerns.
- The tracking affects Android users globally, with no evidence of similar abuse on iOS or other platforms yet.