Privacy concerns are more prevalent than ever, with tools like VPNs, ad blockers, and private browsing continuing to gain popularity. While something like Incognito Mode won’t stop ISPs from tracking users’ web history, it should (theoretically) prevent apps from sharing your most sensitive site visits with other apps and marketing data servers. Android uses a technique called sandboxing to keep apps at arm’s length from each other so they can’t manipulate connections to surreptitiously track behaviors.

That’s why it’s so alarming that apps including Facebook leverage an Android loophole to link supposedly anonymized website visits with known entities, or in other words, you and your browsing history. The recent discovery by independent researchers has both Google and Firefox — the main entities behind the world’s most popular browsers — investigating potential ToS breaches by both Meta and Yandex, the latter of which has apparently employed this tactic for years (Source: LocalMess via Ars Technica).

But surprising absolutely no one

The clandestine tracking process takes advantage of the unsecured nature of localhost connections, which are communications within your mobile device that manage how apps interact with the OS. Unlike the typical channels for delivering cookies, the exploit can transfer cookies to and from apps that would otherwise be effectively sandboxed, or restricted from talking to each other in certain ways without Android’s permission. Because Android doesn’t require permission for communication over localhost ports, the subversive tracking flew under the radar until recently.

Without getting overly technical, the technique conceptually resembles a common email tracking method. In that trick, images with unique identifying strings are embedded in an email. When you load the email, your device pings the image server, which both loads the picture and sends the aforementioned unique identifier, informing the host that you have opened the email.

The localhost tracking workaround does something similar, but significantly more complex. Ultimately, the loophole lets the apps detect any websites you’ve visited that contain a tracking script called Meta Pixel, an extremely common bit of code embedded in countless popular websites for analytics purposes. As a system-level workaround, it can leverage multiple exploit vectors. Some of those vectors have already been sniffed out, patched, and side-stepped by the apps to continue under-the-radar surveillance. The method has no regard for any app’s flavor of private browsing, and the researchers involved went in-depth on the difficulty of preventing the abuse.

Evidence of Meta using the technique first emerged in September 2024, but Russia-based search giant Yandex has been doing it for over eight years. Neither Meta nor Yandex replied to Ars Technica’s requests for comment, but both Google and Firefox representatives indicated they’re investigating the issue for potential breaches of the terms of service, as well as users’ privacy expectations. Both browser developers explicitly noted that such behavior is not allowed on their platforms.

Most recently — just a few hours after Ars broke the story, in fact — the researchers discovered that the suspect communications between the Meta Pixel script and localhost ports had stopped. What’s more, nearly all code referencing the _fbp cookie at the center of the debacle has been erased. At first glance, it certainly seems like the company responsible is hard at work covering its tracks.