Meta Halts Android Port Tracking After Privacy Concerns
On Tuesday, privacy researchers revealed that Meta and Yandex used a lesser-known Android trick to gather user data. By listening on localhost ports, their apps quietly linked web browsing data to user identities. This method allowed them to bypass browser privacy features like cookie clearing and Incognito Mode.
The apps involved—Facebook, Instagram, Yandex Maps, and Yandex Browser—received browser cookies and metadata through JavaScript scripts embedded in websites. These scripts, including Meta Pixel and Yandex Metrica, secretly communicated with native Android apps running on the same device. While most users were unaware of this communication, it enabled companies to track users across multiple websites without consent.
Because these apps had access to device identifiers like the Android Advertising ID, they could connect web browsing behavior to specific user accounts. This undermined user expectations around privacy and even broke assumptions about how first-party cookies work.
Meta Responds to Public Scrutiny
Shortly after the report’s publication, Meta stopped its Pixel scripts from sending data to localhost. The company also began removing the relevant code, signaling a possible shift in its approach. According to a spokesperson, Meta is now “in discussions with Google” to clarify how its practices fit within Play Store policies. In the meantime, it has paused the feature.
However, Meta did not confirm whether it intends to permanently abandon the tracking technique. The company also declined to share further details about its conversations with Google.
Researchers traced Meta’s use of this method back to September 2024. Although one version of the data transfer stopped a month later, alternate protocols like WebRTC and WebSocket remained active until recently.
In contrast, Yandex has used similar techniques since 2017. Efforts to get a comment from Yandex were unsuccessful, as their media inbox rejected inquiries.
Industry Response and Mitigation Efforts
Following the disclosure, browser developers moved quickly. Chrome 137 introduced limited protection against Meta’s use of SDP Munging. Mozilla is actively developing a fix, while Brave and DuckDuckGo have already implemented changes.
Brave blocks localhost tracking by default, and DuckDuckGo updated its blocklist to stop Yandex’s scripts. Going forward, Google is also considering a new permission system to regulate local network access on Android.
Ultimately, the discovery underscores how privacy loopholes can persist even within regulated environments. While Meta has hit pause, questions remain about the future of app-based tracking and who will step in to stop it next.
