Recent research has revealed that Meta and Yandex have exploited a loophole in Android that allows apps to access users’ web browsing data. This method circumvents incognito mode, cookie clearing, and other privacy measures, potentially allowing apps to link online activity to app identities. The researchers recommend uninstalling the affected apps as the only reliable solution for users concerned about their privacy. Yandex provided a statement regarding the findings, asserting that they adhere strictly to data protection standards and do not de-anonymize user data.
They emphasized that the feature in question is intended solely for enhancing personalization within their apps. Following the research, Yandex has opted to discontinue the controversial feature and is collaborating with Google to ensure compliance with app store policies. The original report indicates that users might have been misled into thinking that incognito mode or clearing cookies provided adequate protection against tracking. Research led by teams like the Local Mess project has demonstrated that Meta and Yandex can link web browsing to user identities through tracking scripts called Meta Pixel and Yandex Metrica.
These scripts are found on millions of websites and can transmit data from the web browser to apps like Facebook and Instagram without users’ consent. Alarmingly, this tracking method has been in use for different lengths of time by these companies, with Meta starting in late 2024 and Yandex reportedly using similar techniques since 2017. Even if users practice good privacy hygiene, such as browsing in private mode or not logging into websites, the presence of these apps can still expose their browsing habits. The loophole operates by routing browser data to localhost, a section of the phone’s network that apps can access without explicit user notification.
To combat this invasive tracking, some browsers like Brave and DuckDuckGo have begun blocking certain behaviors, and Google is updating Chrome to close the loopholes being exploited. However, researchers caution that these fixes may be short-lived unless Android implements more stringent restrictions on app access to local ports. Given the widespread presence of these trackers on millions of websites, the researchers conclude that uninstalling the affected apps remains the most effective way for users to protect their privacy.
Leave a Reply