Meta and Yandex De-Anonymizing Android Web Users: A Revealing Situation

Tracking code embedded by Meta and Russia-based Yandex into millions of websites is de-anonymizing visitors by exploiting legitimate Internet protocols. This activity results in Chrome and other browsers quietly sending unique identifiers to native applications installed on devices, researchers have discovered. Google is currently investigating this abuse, which allows Meta and Yandex to turn transient web identifiers into constant mobile app user identities.

The clandestine tracking, as seen with the Meta Pixel and Yandex Metrica trackers, enables these companies to bypass crucial security and privacy protections offered by both Android and browsers that operate on it. For example, Android sandboxing prevents processes from interacting with the OS and other apps installed on the device, thereby protecting sensitive data. Similarly, state partitioning and storage partitioning mechanisms in browsers such as Chrome or Firefox store cookies and other related data distinctively for each top-level website, prohibiting cross-site data access.

A Blatant Violation

In an interview, researcher Narseo Vallina-Rodriguez noted the fundamental challenge to security principles, saying, "What this attack vector allows is to break the sandbox...and communicate what happens in the browser with the identity running in the mobile app." This breach allows Meta and Yandex to transfer cookies or other identifiers from browsers to Android apps for Facebook, Instagram, and various Yandex services, thereby tying comprehensive browsing histories to app users.

Ars Video

Only Android users have experienced this abuse, though researchers believe it's technically feasible to target iOS. On Android, fewer restrictions exist against local host communications and app executions, unlike the stricter controls found with iOS app store vetting.

The extensive use of Meta Pixel and Yandex Metrica implicates millions of sites. Meta Pixel is estimated to be on 5.8 million websites, while Yandex Metrica is on 3 million. The broader problem arises from basic browser-to-app communication functionality available in mobile browsers, which lets browsers make web requests to Android's local ports to enable services like media connections, file sharing, and debugging.

This technology misuse by Meta and Yandex involves accessing localhost ports at 127.0.0.1 IP address, allowing apps like Facebook and Yandex to listen on these ports, quietly copying identifiers in real-time.

Google's representative stated, "The developers in this report are using capabilities...in unintended ways that blatantly violate our security and privacy principles." In response, Meta paused the feature and Yandex has discontinued the practice, as both companies coordinate with Google to address these issues.

How They De-Anonymize Users

Since starting in September, Meta Pixel developers began their covert activities by causing apps to send HTTP requests to a specific port. Despite changes, the Facebook and Instagram apps continued monitoring the designated port. Various techniques, including the use of WebRTC via SDP munging to send cookies discreetly, have been observed. Chrome's recent mitigations aim to prevent these practices.

While some browsers like DuckDuckGo, Brave, and Vivaldi implemented blocklists that thwart tracking, researchers warn of the ongoing arms race required to keep such approaches effective. Ultimately, they suggest that a more robust solution would involve redesigning privacy controls for localhost channels on both mobile platforms and browsers.

Got Consent?

As leading researchers Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara, and Tim Vlummens noted, browser-to-native-app tracking is typically not disclosed to website hosts or end users. Developer forums indicated bewilderment at unexpected script behavior. A broader legal analysis might be needed to determine compliance with global privacy statutes.

To safeguard against tracking by Meta Pixel and Yandex Metrica, users are advised to refrain from installing related apps on their Android devices. Both Meta and various hosts of Meta Pixel have faced numerous lawsuits related to privacy violations in recent years. Until major changes occur, staying informed and adjusting app usage might be crucial steps for concerned users.