Researchers have uncovered a method used by Meta and Yandex to bypass Android’s privacy protections, enabling the de-anonymization of users’ web browsing activity. This technique leverages the Android sandbox’s local socket access to link web browsing data with mobile app identifiers. Meta and Yandex have been found to utilize native apps that silently listen on fixed ports, receiving metadata, cookies, and commands from websites through JavaScript scripts like Meta Pixel and Yandex Metrica. These scripts communicate with native mobile apps via localhost sockets, allowing the companies to access user identifiers such as the Android Advertising ID (AAID) and connect web sessions with mobile app data, thereby bypassing standard privacy features like Incognito Mode and cookie deletion.
Following the public disclosure, Meta has ceased using this method as of June 3, 2025. However, other browser vendors such as Chrome, Brave, Firefox, and DuckDuckGo are working on or have implemented mitigations. Despite this, the issue highlights a broader concern with Android’s security frameworks, as the system allows any app with the INTERNET permission to access the loopback interface (127.0.0.1). This means that web pages can communicate with native apps without user consent, raising issues about potential privacy infringements and the need for stricter enforcement of platform policies. The Android OS’s current design allows this interaction, which has led to concerns about how such a vulnerability can be exploited not just for tracking but possibly for more nefarious activities such as eavesdropping on user web activity.
Experts suggest that a comprehensive solution may require changes at the operating system level or stricter enforcement of platform policies. This includes preventing unauthorized apps from accessing localhost sockets and ensuring that web and app communication is mediated by the platform. While Meta has taken steps to address the issue, the continued use of such techniques by other companies raises broader questions about how much control users have over their data in a mobile ecosystem that increasingly prioritizes cross-platform tracking over user privacy. As the tech industry moves toward more integrated user experiences, the balance between functionality and privacy has never been more critical, with users demanding greater transparency and control over their data.