Episode Notes:
Dive deep into the shocking revelations about covert web-to-app tracking affecting billions of Android users! This episode uncovers a novel tracking method employed by tech giants Meta (Facebook Pixel) and Yandex (Yandex Metrica), which silently links your mobile browsing sessions to your long-lived native app identities.

Key Discoveries:
• The Localhost Loophole: Learn how Meta and Yandex exploit unrestricted access to localhost sockets on the Android platform. Native apps like Facebook, Instagram, Yandex Maps, Navigator, Browser, and Search listen on fixed local ports (e.g., Meta uses UDP ports 12580-12585; Yandex uses TCP ports 29009, 29010, 30102, 30103) to receive browser metadata, cookies, and commands from scripts embedded on thousands of websites1....
• Bypassing Privacy Protections: This method bypasses typical privacy controls such as clearing cookies, using Incognito Mode, and Android's permission controls4.... It effectively de-anonymises users by linking ephemeral web identifiers (like the _fbp cookie or Android Advertising ID (AAID)) to persistent mobile app IDs, even when users are not logged into the browsers2....
• Meta's Evolution: Discover how Meta Pixel has evolved its techniques, initially using HTTP, then WebSocket, and more recently, WebRTC STUN with SDP Munging to transmit the _fbp cookie. Following disclosure, Meta shifted to WebRTC TURN, and as of early June 2025, the script was no longer sending packets to localhost, with the code responsible for the _fbp cookie almost completely removed.
• Yandex's Persistent Method: Yandex Metrica has been using localhost communications since February 2017 via HTTP and HTTPS requests, where their native apps act as a proxy to collect Android-specific identifiers like the AAID and Google's advertising ID, transferring them to the browser context.
• Scale of Impact: These trackers are embedded on millions of websites globally. Meta Pixel is present on over 5.8 million websites (2.4 million according to HTTP Archive) and Yandex Metrica on close to 3 million sites (575,448 according to HTTP Archive)2122. Our research found that in a crawl of the top 100k sites, a significant number of sites (over 75% for Meta Pixel, 83-84% for Yandex Metrica) were attempting localhost communications potentially without user consent.
• Browsing History Leakage: Yandex's use of HTTP requests for web-to-native ID sharing can expose users' browsing history to malicious third-party apps also listening on the same ports. Browsers like Chrome, Firefox, and Edge were found to be susceptible to this leakage, even in private browsing modes.
• Industry Response: While some browsers like Brave and DuckDuckGo were already blocking these practices due to blocklists and existing consent requirements, others like Chrome and Firefox have implemented countermeasures or are actively investigating. Google has stated this behaviour violates Play marketplace terms of service and user privacy expectations, and Meta has paused the feature while discussing with Google.
• Lack of Awareness: Neither Meta nor Yandex publicly documented this specific localhost-based communication technique, and website owners and end-users were largely unaware of this covert tracking.

Why This Matters: This research highlights a critical vulnerability in Android's design, where unvetted access to localhost sockets breaks the fundamental sandboxing principle between mobile and web contexts10.... Current "fixes" are often specific blocklists, which are temporary solutions in an ongoing "arms race" with trackers. A more comprehensive, long-term solution requires stricter platform policies and user-facing controls on Android to limit this type of access at a fundamental level40....
--------------------------------------------------------------------------------
Special Thanks to our Sponsor: This episode is brought to you by Approov. Approov helps protect your mobile apps and APIs by enforcing trust boundaries between mobile clients and backend services. While it cannot control intentionally collected data, Approov significantly raises the bar for malicious or unauthorized data harvesting by others, mitigating ecosystem-level risks associated with identifier misuse44. Learn more about securing your mobile ecosystem at approov.io.
--------------------------------------------------------------------------------
Relevant Links:
• Read the full research paper: Link to the research paper "Covert Web-to-App Tracking via Localhost on Android"
• Explore the Ars Technica article: Link to the Ars Technica article "Meta and Yandex are de-anonymizing Android users’ web browsing identifiers"
• Learn more about mobile security: Link to the "Approov: Mobile Security and Data Protection" source.
--------------------------------------------------------------------------------
Keyword