Recent research has unveiled a significant privacy concern regarding popular applications on Android devices. The findings indicate that both Meta and Yandex have exploited a loophole within the Android operating system, allowing them to associate web browsing data with app identities, effectively bypassing established privacy measures such as incognito mode and cookie clearing.
Tracking Techniques Revealed
The investigation, conducted by the researchers behind the Local Mess project and reported by Ars Technica, highlights how these companies have utilized tracking scripts—specifically Meta Pixel and Yandex Metrica—embedded in millions of websites. These tools, originally designed to assist site owners in measuring user engagement, have been repurposed to transmit hidden messages from web browsers to apps like Facebook, Instagram, and Yandex Maps through local network connections on users’ devices. This means that if a user is logged into any of these applications, they could unknowingly share a unique identifier linked to their browsing session, even while using incognito mode.
Meta reportedly adopted this technique in late 2024, while Yandex has been implementing it since 2017. This revelation raises serious concerns, as it circumvents many common privacy protections. Users may believe they are safeguarding their online activity by clearing cookies or browsing privately, but as long as the relevant apps remain installed and active in the background, companies can still track their web visits.
The loophole operates by sending browser data to localhost, a component of the device’s internal network that apps can access without user notification or permission. When a website featuring Meta Pixel or Yandex Metrica is accessed, it can trigger a connection to the respective app via localhost, facilitating the covert transmission of data.
In response to the findings, Meta has paused the feature and is collaborating with Google to address what it describes as a “potential miscommunication” regarding policy applications. Google has acknowledged that this tracking behavior violates Play Store policies and users’ privacy expectations. Meanwhile, Yandex has yet to comment on the situation.
Industry Responses and Future Implications
While some browsers, such as Brave and DuckDuckGo, have taken steps to block this tracking behavior, Google has begun rolling out updates to Chrome aimed at curtailing the specific methods employed. However, researchers caution that these solutions may be temporary, as minor adjustments to the code could easily circumvent them unless Android implements more stringent restrictions on app access to local ports.
With Meta Pixel and Yandex Metrica being prevalent across nearly six million and three million websites respectively, the implications of this tracking are extensive. The study indicates that the majority of sites utilizing these trackers begin data collection as soon as a user visits the page, often before any consent pop-up is displayed.
For those concerned about privacy, the researchers suggest that the only definitive way to prevent this type of tracking on Android devices is to uninstall the affected applications entirely.
