Meta and Yandex Exploit Android Browsers to De-Anonymize User Data
Meta and Russia-based Yandex have been found to use tracking codes embedded in millions of websites to link detailed browsing histories with persistent identifiers. This practice abuses legitimate internet protocols, causing browsers like Chrome to send unique identifiers to native Android apps such as Facebook, Instagram, and Yandex apps without user knowledge. This allows these companies to bypass Android’s security features and browser protections designed to isolate user data, effectively de-anonymizing users’ browsing activity.
The tracking method exploits Android’s local host communication channels, which are less restricted compared to iOS. Meta Pixel and Yandex Metrica trackers send cookies and other identifiers from browsers to apps via local ports, which the apps monitor silently. This exchange links ephemeral web identifiers to actual user accounts, even in private browsing modes. Meta Pixel has evolved its techniques over time, using protocols like WebRTC and WebSocket to transmit data, while Yandex has been using similar methods since 2017.
Despite some browsers such as DuckDuckGo and Brave implementing blocking measures to prevent these trackers from sending data to local ports, these solutions are partial and reactive. Researchers warn that simple changes in port numbers or methods could bypass current protections. The root issue lies in Android’s unrestricted access to localhost sockets, which lacks user control or notification mechanisms. Experts suggest that a more effective solution would involve stricter platform-level policies and user permissions to limit such cross-context communication.
Neither Meta nor Yandex has disclosed this tracking to website operators or users, raising concerns about compliance with privacy laws such as the EU’s GDPR. While Google is investigating and has taken some mitigation steps, the problem persists. For now, the most reliable way to avoid this tracking is to avoid installing the related native apps on Android devices. The situation highlights the need for stronger privacy controls and transparency in how user data is shared between browsers and apps.