### Meta and Yandex's Covert Data Collection via Android Apps Unveiled

Security researchers have uncovered that Meta and Yandex have been utilizing native Android apps to listen on localhost ports, an action that has allowed them to link web browsing data to user identities and bypass typical privacy protections. This practice, once disclosed by researchers, saw Meta making significant changes, including halting data transmission to localhost from their Pixel script and largely removing the tracking code. This move is likely an effort to avoid violations under Google Play policies, which prohibit covert data collection in apps.

A Meta spokesperson revealed to The Register, "We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue." Despite this, further elaboration on Meta’s discussions with Google was not provided.

Recent research involving scientists from IMDEA Networks in Spain, Radboud University in the Netherlands, and KU Leuven in Belgium has provided detailed insights into how Meta and Yandex have implemented this data collection technique. According to the report, native Android apps from Meta—such as Facebook and Instagram—and Yandex—specifically, Yandex Maps and Browser—were detected silently listening on fixed local ports for tracking purposes.

Explaining their findings, the researchers, including Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara, and Tim Vlummens, pointed out that these apps received browser metadata, cookies, and commands from scripts like Meta Pixel and Yandex Metrica, embedded on thousands of websites. These scripts, once triggered on users' mobile browsers, would establish silent connections through localhost sockets to the native apps running on the same device.

The implication is significant: these native apps, by accessing device identifiers such as the Android Advertising ID or handling user identities in Meta apps, could link mobile browsing sessions and web cookies to specific user identities. By opening localhost ports, Meta and Yandex were effectively able to bypass standard privacy defenses such as cookie clearing, Incognito Mode, and Android's app permission system.

The technique employed also contradicted the understood scope of first-party cookies, which are not supposed to track activity across different websites. The researchers commented, "The method we disclose allows the linking of the different _fbp cookies to the same user, which bypasses existing protections and runs counter to user expectations."

In Meta's case, the data tracking involved the Meta Pixel, an analytics tool marketers use to collect information on website interactions. Various APIs and protocols such as SDP munging, Websocket, WebRTC, STUN, and TURN were utilized to implement this app-web eavesdropping scheme.

This revelation highlights the ongoing challenges in protecting user privacy and ensuring compliance with data protection policies in the ever-evolving landscape of digital technology.