Meta is once again in the news for all the wrong reasons, violating user privacy and security on Android—yet again.

Researchers at IMDEA Networks, Radboud University, and COSIC discovered that Meta (and Yandex) was actively de-anonymizing users through a combination of Android apps—such as Facebook, Instagram, and various Yandex apps—and listening on fixed local ports on the device.

These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android’s permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.

The researchers go on to say that Meta and Yandex use slightly different methodologies, but the end result is the same.

While there are subtle differences in the way Meta and Yandex bridge web and mobile contexts and identifiers, both of them essentially misuse the unvetted access to localhost sockets. The Android OS allows any installed app with the INTERNET permission to open a listening socket on the loopback interface (127.0.0.1). Browsers running on the same device also access this interface without user consent or platform mediation. This allows JavaScript embedded on web pages to communicate with native Android apps and share identifiers and browsing habits, bridging ephemeral web identifiers to long-lived mobile app IDs using standard Web APIs.

The methods continued to work even if users’ browsers were in incognito mode.

Industry Response

The researchers used responsible notification methods to giving software developers the ability to address the issue before it was publicly disclosed. Nonetheless, they warn that a complete mitigation will require far more work.

Our responsible disclosure to major Android browser vendors led to several patches attempting to mitigate this issue; some already deployed, others currently in development. We thank all participating vendors (Chrome, Mozilla, DuckDuckGo, and Brave) for their active collaboration and constructive engagement throughout the process. Other Chromium-based browsers should follow upstream code changes to patch their own products.

However, beyond these short-term fixes, fully addressing the issue will require a broader set of measures as they are not covering the fundamental limitations of platforms’ sandboxing methods and policies. These include user-facing controls to alert users about localhost access, stronger platform policies accompanied by consistent and strict enforcement actions to proactively prevent misuse, and enhanced security around Android’s interprocess communication (IPC) mechanisms, particularly those relying on localhost connections.

Meta and Google’s Response

Interestingly, the day the researchers’ results became public, Meta discontinued the tracking technique. Meta claimed it was working to address the issue.

“We are in discussions with Google to address a potential miscommunication regarding the application of their policies,” a Meta spokesperson told Sky News.

“Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.”

Despite that assurance, there is simply no conceivable way Meta thought it was OK or ethical to enage in this kind of tracking, especially given the far-reaching consequences.

“It’s really concerning because it negates every privacy control that you have in modern browsers and also in modern mobile platforms like Android,” Narseo Vallina-Rodriguez, associate professor at IMDEA Networks, told Sky News.

For its part, Google told the outlet it already “implemented changes to mitigate these invasive techniques and have opened our own investigation and are directly in touch with the parties”.

Meta’s Long History of Abusing User Privacy

Unfortunately, this is not Meta’s first time undermining and abusing user privacy. It’s not the second, or even the third. The company has a long history of such behavior, from the Cambridge Analytica scandal to accusations the company deliberately provided addictive content to minors, and virtually everything in-between. The company has a well-deserved reputation for being one of the worst companies in the world, in terms of user privacy.

In view of this latest revelation, its time for users to leave the platform. What’s more, regulators should start holding the company’s feet to the fire, especially in jurisdictions that have established privacy regulation, like the EU.