Meta and Yandex Have Both Been De-Anonymizing Android Users’ Ostensibly Sandboxed Private Web Browsing Identifiers

Researchers have discovered a method used by Meta" and Yandex to de-anonymize Android users' web browsing across millions of websites. The native Android apps receive browsers' metadata, cookies, and commands from Meta Pixel and Yandex Metrica scripts embedded on thousands of websites. These scripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. This method allows them to link mobile browsing sessions and web cookies to user identities, effectively de-anonymizing users' visiting sites embedding their scripts. This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode, and Android's permission controls. The entire flow of the _fbp cookie from web to native and the server involves the user opening the native Facebook or Instagram app, which creates a background service to listen for incoming traffic on a TCP port and a UDP port. The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC, and the app transmits the _fbp as a GraphQL mutation to Facebook's graph along with other persistent user identifiers, linking users' fbp ID with their Facebook or Instagram account. The same day the researchers published this report, Meta stopped doing it. This elaborate scheme only exists to circumvent features in Android meant to prevent native apps from tracking users while they use their web browser. This method is considered a form of theft, even if it doesn't break any laws.