Subscribe
Startups

Covert Web-to-App Tracking via Localhost on Android

Date:

Share:

Disclosure: Covert Web-to-App Tracking via
Localhost on Android

We disclose a novel tracking method by Meta and Yandex potentially affecting
billions of Android users. We found that native Android apps—including Facebook,
Instagram, and
several Yandex apps including Maps and Browser—silently listen on fixed local
ports for tracking purposes.

These native Android apps receive browsers’ metadata, cookies and commands from
the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load
on users’ mobile browsers and silently connect with native apps running on the same device through
localhost sockets. As native apps access programatically
device identifiers like the Android
Advertising ID (AAID) or handle user identities as in the case
of Meta apps, this method effectively allows these organizations to link mobile
browsing sessions and web cookies to user identities, hence de-anonymizing users’
visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing
cookies, Incognito Mode and Android’s permission controls. Worse, it opens the door for potentially
malicious apps eavesdropping on users’ web activity.

📢 UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer
sending
any packets or requests to localhost. The code responsible for sending the _fbp cookie has been
almost
completely removed.

📁 Additional Resources

– Video showing Yandex sending localhost requests. The left window shows a
remote debugging inspector window of the browser on the Android phone.
The right window shows the screen of the Android phone, with our proof-of-concept app at the top and
the browser at the bottom:

– Video showing Meta Pixel sending localhost STUN requests. The left window
shows Wireshark, a program that monitors web traffic.
The right window shows the browser visiting a website. Note that the requests only start sending
once the page is loaded when emulating a Android phone (Pixel 7)
and the breakpoint added to the Facebook script is passed:

– Image showing Meta Pixel parameters for which ports and protocols to
contact localhost.

– Image showing Meta Pixel performing SDP Munging to insert the _fbp cookie
value.

– Image showing Meta Pixel using STUN to _pass fbp cookie value to mobile
apps.


Source link

Subscribe to our magazine

━ more like this

Funny

PostSecret AfterStory – PostSecret

Dear Frank, My secret reads: It hurts to do jazz hands after I cut myself, but the...
Fashion

Dream Con Was A Black Girl Cosplay Fantasy & Megan Thee Stallion Led The Way

Megan Thee Stallion was on a mission as she scanned a room full of fans at the George R. Brown Convention Center in Houston:...
Tech

How Old Is Too Old When Buying an Apple Watch?

We may earn a commission from links on this page. ...
Funny

27 years of drawing Penny Arcade

Fashion

“And Just Like That” Outfits I Can’t Stop Thinking About

While each product featured is independently selected by our editors, we may include paid promotion. If you buy something through our links, we may...
Previous article
Missouri homeowner stunned after catching delivery driver 'licking' his cat on security camera after completing delivery (Video)
Next article
C'è pasta… E pasta! in Rome, Italy

Welcome to our complete News Portal about living, lifestyle, fashion and travel. Take your time and immerse yourself in this amazing experience!

━ support

━ contact us

504 Railroad St, Fayette, MO 65248
support@usn360.com
(877) 216-0603

━ subscribe

© usn360.com - All rights reserved. Made with ❤