Covert Web-to-App Tracking via Localhost on Android
Local Mess (via Dan Goodin):
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.
These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.
This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android’s permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
Jorge García Herrero (via Hacker News):
Meta faces simultaneous liability under the following regulations, listed from least to most severe: GDPR, DSA, and DMA (I’m not even including the ePrivacy Directive because it’s laughable).
[…]
The Pixel script in your browser tries to send information to the Facebook/Instagram app that’s “listening” in the background.
It uses a technique called WebRTC, normally used for voice or video calls (like Zoom or Google Meet), but here it’s being used to secretly transmit data between the browser and the app.
Additionally, a technical trick called “SDP Munging” allows the browser to insert data (like the _fbp cookie identifier) into the WebRTC “initial handshake” message.
What they’ve done here may not have broken any laws, but there certainly should be laws against it. And in terms of simple common sense, the entire elaborate scheme only exists to circumvent features in Android meant to prevent native apps from tracking you while you use your web browser.
The difference between targeted advertising and spyware is there is no difference.
After Girish, et al., disclosed this behaviour, Meta’s apps ceased tracking users with this method, and Goodin said Yandex will also stop.
I’ll note that among the so-called “interoperability” requirements the European Commission is demanding of iOS is for third-party apps to run, unfettered, in the background, because some of Apple’s own first-party software obviously runs in the background.
I think the problem is the IPC, not the running in the background. The user should have control over whether apps can open up ports for listening and whether Web sites can connect to 127.0.0.1.
Every one of the sites that includes these tracking scripts is complicit to some extent in the theft of hundreds of millions of Android users’ web browsing privacy.
This sort of bullshit is why I use the web instead of native apps from Meta/Facebook/Instagram.
Previously:
