Meta Apps Have Been Covertly Tracking Android Users' Web Activity for Months

I don't expect Meta to respect my data or my privacy, but the company continues to surprise me with how low they're willing to go in the name of data collection. The latest such story comes to us from a report titled "Disclosure: Covert Web-to-App Tracking via Localhost on Android." In short, Meta and Yandex (a Russian technology company) have been tracking potentially billions of Android users by abusing a security loophole in Android. That loophole allows the companies to access identifying browsing data from your web browser as long as you have their Android apps installed.

How does this tracking work?

As the report explains, Android allows any installed app with internet permissions to access the "loopback address" or localhost, an address a device uses to communicate with itself. As it happens, your web browser also has access to the localhost, which allows JavaScripts embedded on certain websites to connect to Android apps and share browsing data and identifiers.

What are those JavaScripts, you might ask? In this case, that's Meta Pixel and Yandex Metrica, scripts that let companies track users on their sites. Trackers are an unfortunate part of the modern internet, but Meta Pixel is only supposed to be able to follow you while you browse the web. This loop lets Meta Pixel scripts send your browsing data, cookies, and identifiers back to installed Meta apps like Facebook and Instagram. The same goes for Yandex with its apps like Maps and Browser.

You certainly didn't sign up for that when you installed Instagram on your Android device. But once you logged in, the next time you visited a website that embedded Meta Pixel, the script beamed your information back to the app. All of a sudden, Meta had identifying browsing data from your web activity, not via the browsing itself, but from the "unrelated" Instagram app.

Chrome, Firefox, and Edge were all affected in these findings. DuckDuckGo blocked some but not all of the domains here, so it was "minimally affected." Brave does block requests to the localhost if you don't consent to it, so it did successfully protect users from this tracking.

Researchers say Yandex has been doing this since February of 2017 on HTTP sites, and May of 2018 on HTTPS sites. Meta Pixel, on the other hand, hasn't been tracking this way for long: It only started September of 2024 for HTTP, and ended that practice in October. It started via Websocket and WebRTC STUN in November, and WebRTC TURN in May.

Website owners apparently complained to Meta starting in September, asking why Meta Pixel communicates with the localhost. As far as researchers could find, Meta never responded.

Researchers make it clear that the type of tracking is possible on iOS, as developers can establish localhost connections and apps can "listen in" too. However, they found no evidence of this tracking on iOS devices, and hypothesize that it has to do with how iOS restricts native apps running in the background.

Meta has officially stopped this tracking

The good news is, as of June 3, researchers say they have not observed Meta Pixel communicating with the localhost. They didn't say the same for Yandex Metrika, though Yandex told Ars Technica it was "discontinuing the practice." Ars Technica also reports that Google has opened an investigation into these actions that "blatantly violate our security and privacy principles."

However, even if Meta has stopped this tracking following the report, the damage could be widespread. As highlighted in the report, estimates put Meta Pixel adoption anywhere from 2.4 million to 5.8 million sites. From here, researchers found that just over 17,000 Meta Pixel sites in the U.S. attempt to connect to the localhost, and over 78% of those do so without any user consent needed, including sites like AP News, Buzzfeed, and The Verge. That's a lot of websites that could have been sending your data back to your Facebook and Instagram apps. The report features a tool that you can use to look for affected sites, but notes the list is not exhaustive, and absence doesn't mean the site is safe.

Meta sent me the following statement in response to my request for comment: “We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.”