Meta caught breaking Android's sandbox by monitoring web browsing through its apps

Tracking is one of the most lucrative parts of the advertising business. The idea is that the more you know about a particular individual's interests and habits, the better their reaction to ads is.

Researchers have discovered a new tracking scheme that Meta, owner of Facebook, Instagram, and WhatsApp, an Russia-based Yandex have used to track users on the Internet.

The tracking was specifically designed to break the barrier between a user's web browsing on Android, using any of the installed mobile browsers, and the use of apps, like Facebook or Instagram.

A sandbox on Android protects data from being exchanged with applications or services that are outside of that sandbox. This allowed Meta and Yandex to bypass security and privacy protections on the devices.

Android, and iOS as well, implement various security and privacy features in this regard. Next to sandboxing, partitioning is used to separate data and make it inaccessible to unrelated resources.

How did Meta and Yandex track users?

The method has two requirements. First, that the user has installed at least one of the Meta or Yandex applications on the device.

Second, that sites are visited that implement the tracking pixels that Meta or Yandex use. Millions of sites do.

Both companies send web requests to local Android ports when users visited sites with their tracking code. The native apps listened on the same ports, effectively breaking the barriers that are in place to prevent this type of tracking and abuse.

Here is how the researchers describe the tracking: "The Android OS allows any installed app with the INTERNET permission to open a listening socket on the loopback interface (127.0.0.1). Browsers running on the same device also access this interface without user consent or platform mediation. This allows JavaScript embedded on web pages to communicate with native Android apps and share identifiers and browsing habits, bridging ephemeral web identifiers to long-lived mobile app IDs using standard Web APIs."

The researchers note that the tracking method bypassed typical privacy protections, including clearing cookies or using private browsing mode. Why? Because the installed applications still knew the user, even if all browsing data was deleted in the mobile browser.

With that in place, tracking would commence unhindered once the user started to browse again on the device.

Some browsers included protections against this kind of misuse. Brave, DuckDuckGo or Vivaldi block the behavior by default or when the blocking is enabled during browser configuration.

The researchers at Local Mess note that Meta has been using the method since September 2024. Yandex on the other hand seems to have implemented it since 2017.

A Google representative told Ars Technica that "the behavior violates the terms of service" for the Google Play marketplace and also the "privacy expectations of Android users".

Meta and Yandex have stopped the tracking at the time of writing.

Thank you for being a Ghacks reader. The post Meta caught breaking Android's sandbox by monitoring web browsing through its apps appeared first on gHacks Technology News.