Meta Apps Have Been Secretly Tracking Android Users’ Web Activity for Months
I don’t expect Meta to respect my data or my privacy, but the company continues to amaze me with how low they’re willing to go in the name of data collection. The latest such story comes to us from a report titled “Exposé: Hidden Web App Tracking via Localhost on Android.” In short, Meta and Yandex (a Russian tech company) are tracking potentially billions of Android users by abusing a loophole in Android security. This loophole allows companies to access identifying browsing data from your web browser as long as you have their Android apps installed.
How does this tracking work?
As the report explains, Android allows any installed app with internet permissions to access the “ loopback address, ” or localhost, the address the device uses to communicate with itself. As is often the case, your web browser also has access to localhost, allowing JavaScript embedded on certain websites to connect to Android apps and exchange browsing data and identifiers.
What is this JavaScript, you ask? In this case, it’s Meta Pixel and Yandex Metrica, scripts that allow companies to track users across their sites. Trackers are an unfortunate part of the modern internet, but Meta Pixel only needs to track you while you’re browsing the web. This loop allows Meta Pixel scripts to send your browsing data, cookies, and identifiers back to installed Meta apps like Facebook and Instagram. The same goes for Yandex, with its apps like Maps and Browser.
You certainly didn’t sign up for this when you installed Instagram on your Android device. But once you were logged in, the next time you visited a website that had Meta Pixel embedded, the script passed your information back to the app. Suddenly, Meta was getting identifying browsing data from your web activity, not through the browsing itself, but from the “unrelated” Instagram app.
Chrome, Firefox, and Edge were affected by these findings. DuckDuckGo blocked some but not all domains here, so it was “minimally affected.” Brave blocks requests to localhost unless you consent to it, so it successfully protected users from this tracking.
The researchers say Yandex has been doing this since February 2017 on HTTP sites and since May 2018 on HTTPS sites. Meta Pixel, on the other hand, has not been tracking this way for long: It only started in September 2024 for HTTP and ended the practice in October. It started via Websocket and WebRTC STUN in November and WebRTC TURN in May.
Website owners apparently complained to Meta starting in September, asking why the Meta Pixel was talking to the local host. As far as researchers could determine, Meta never responded.
The researchers make it clear that this type of tracking is possible on iOS, as developers can establish local connections and apps can “eavesdrop.” However, they found no evidence of such tracking on iOS devices, and hypothesize that it is due to the way iOS limits native apps running in the background.
Meta has officially stopped this tracking.
The good news is that as of June 3, the researchers said they had not observed Meta Pixel interacting with the local host. They did not say the same about Yandex Metrika, although Yandex told Ars Technica that it was “stopping this practice.” Ars Technica also reports that Google has launched an investigation into these actions, which “clearly violate our security and privacy principles.”
However, even if Meta stops this tracking after the report, the damage could be widespread. As the report highlights, it is estimated that Meta Pixel will be implemented on anywhere from 2.4 million to 5.8 million websites. From there, the researchers found that just over 17,000 Meta Pixel sites in the US are attempting to connect to localhost, and more than 78% of them are doing so without any user consent, including sites like AP News, Buzzfeed, and The Verge. That’s a lot of websites that could be sending your data back to your Facebook and Instagram apps. The report provides a tool you can use to find affected sites, but notes that the list is not exhaustive, and an absence does not mean a site is safe.
Meta sent me the following statement in response to my request for comment: “We are in discussions with Google to resolve potential misunderstandings regarding the enforcement of their policies. After learning of the issues, we have decided to pause the feature while we work with Google to resolve the issue.”