Meta halts phone and browser tracking tools after researchers expose user snooping
Researchers spotted covert data extraction and tracking, but the apps responsible quickly removed the script.
- Meta and Yandex were spotted using covert tracking techniques
- The techniques violated Google Play policies
- The code was mysteriously removed after being pointed out by researchers
Meta and Yandex have been accused of dodging privacy protection requirements by associating users with their web browsing activity and cookies through native Android applications using Meta Pixel and Yandex Metrica trackers.
The method involved gathering data through the localhost function built in to many native Android apps which is used for testing purposes.
Following the release of research by computer scientists at IMDEA Networks, Radboud University, and KU Leuven, the script associated with the data extraction and user tracking was removed.
Covert tracking in Android apps and browsers
Specifically, the tracking was spotted on Meta’s Facebook and Instagram apps, as well as Yandex's Maps and Browser.
The apps use localhost, which allows a device to send itself a network request, as part of their ability to associate browsing data with user identities.
In the researcher's words, “These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of websites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets.”
What Meta and Yandex have essentially done is create a crack in the Android sandbox environments through which they can extract website data and cookies, bypassing inbuilt security and privacy protections, and then associating the data with the user’s device identifiers such as their identity within a Meta app, or the user’s Android Advertising ID.
When probed about the covert tracking method by The Register, a Meta spokesperson said, “We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.”
According to the researchers, Yandex has been using this method of covert tracking since 2017, while Meta started in September 2024.
Firefox and Chromium-based web browsers were the primary target of the web data extraction, with Meta and Yandex able to extract cookies that should be otherwise inaccessible due to cookie clearing, Incognito browsing, and Android's app permission system.
A Google representative told Ars Technica, “The developers in this report are using capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles,” the representative said, in reference to the developers who built the code behind Meta Pixel and Yandex Metrica. “We've already implemented changes to mitigate these invasive techniques and have opened our own investigation and are directly in touch with the parties.”
You might also like
- Encrypt your internet traffic with the best VPNs
- Secure your device against malware with the best antivirus software
- "Meta AI non-compliant with GDPR" – Digital rights group menaces Meta with injunction over EU AI training
