Everyone wants to be anonymous online, but not everyone is safe, especially Android users, according to the latest research. Maybe Meta is secretly spying on you.
Researchers have found that big tech companies such as Meta (Facebook) and Yandex have secretly been taking advantage of an Android loophole to monitor users’ web behavior, even during private browsing or Incognito Mode.
Android’s Sandbox Isn’t as Secure as It Seems
Is Android Safe? Meta, Yandex Exploiting Loophole to Track Your
Glen Carrie/Unsplash
Android’s “sandboxing” feature is intended to keep apps separate and from communicating with each other without the approval of the user. Yet Meta and Yandex apparently circumvented these safeguards through a rare loophole: localhost connections.
According to Local Mess via Ars Technica, localhost connections control internal app-to-OS interactions, and in contrast to regular web cookies or app permissions, Android does not limit these. This vulnerability enabled apps to identify and trace which websites users are visiting, those with Meta Pixel tracking scripts installed, in particular, without warning the user or asking for permissions.
Read more:
Meta Reportedly Wants to Add Facial Recognition Tech to AI Glasses—Will This Be a Privacy Issue?
Localhost Exploit
This is not a simple cookie trick, according to Android Police. Rather, it reflects sophisticated tracking methods employed in email marketing. Similar to tracking pixels in emails, the exploit employs internal data pings to determine a user’s activity. Upon a site loading Meta Pixel, it can send a unique identifier via localhost, connecting ostensibly private activity to associated user profiles.
Worse, the workaround works whether or not private browsing is enabled, or VPN protections are in place, making it extremely hard to block and detect.
Firefox and Google Now Have a Look
The news has had quick responses from privacy-conscious bodies. Both Mozilla (Firefox) and Google have both confirmed they are looking into whether Meta and Yandex breached their respective platforms’ terms of service. The two companies stressed that such an act is completely off-limits.
Researchers indicate that blocking this type of tracking cannot be done at the user level because of the dynamic nature of JavaScript code and the inefficacy of existing blocklists. It requires platform-level change instead.
“The correct way of blocking this persistently is by constraining this kind of access at the mobile platform and browser level,” said researcher Narseo Vallina-Rodriguez.
Meta and Yandex Go Silent as Code Vanishes
Surreally, soon after the report emerged on Ars Technica, researchers observed the evasive localhost behavior ceased altogether. More suspiciously: almost all mentions of the _fbp cookie, such an integral part of the tracking mechanism, disappeared from the affected code.
Meta and Yandex were not immediately available to answer questions from the media, but the sudden silence and code deletion imply in-house attempts to conceal tracks instead of confronting the privacy issues head-on.
Wake-Up Call for Android and Incognito Users
If you’re using Android and trust Incognito Mode to keep your browsing private, this discovery should serve as a wake-up call. Despite sandboxing and privacy settings, sophisticated tracking exploits like this can still expose your habits to big tech firms.
While Google and Mozilla work on tightening up platform security, users should remain cautious and consider additional privacy tools, though even those may not be enough in cases like this.
Related Article:
Meta Faces Historic Breakup Threat as FTC Antitrust Battle Nears Ruling