Dan Goodin, writing at Ars Technica:
This abuse has been observed only in Android, and evidence suggests that the Meta Pixel and Yandex Metrica target only Android users. The researchers say it may be technically feasible to target iOS because browsers on that platform allow developers to programmatically establish localhost connections that apps can monitor on local ports.
In contrast to iOS, however, Android imposes fewer controls on local host communications and background executions of mobile apps, the researchers said, while also implementing stricter controls in app store vetting processes to limit such abuses. This overly permissive design allows Meta Pixel and Yandex Metrica to send web requests with web tracking identifiers to specific local ports that are continuously monitored by the Facebook, Instagram, and Yandex apps. These apps can then link pseudonymous web identities with actual user identities, even in private browsing modes, effectively de-anonymizing users’ browsing habits on sites containing these trackers.
I’ll note that among the so-called “interoperability” requirements the European Commission is demanding of iOS is for third-party apps to run, unfettered, in the background, because some of Apple’s own first-party software obviously runs in the background. And I’ll further note that Apple made clear, back in its December 2024 report laying out its objections to the EC’s demands, that:
No company has made more interoperability requests of Apple than Meta. In many cases, Meta is seeking to alter functionality in a way that raises concerns about the privacy and security of users, and that appears to be completely unrelated to the actual use of Meta external devices, such as Meta smart glasses and Meta Quests.
This newly uncovered “Local Mess” exploit — which seemingly only works on Android — is exactly the sort of scheme Meta wants to pull on iOS: to track users across millions of websites while they justifiably believe their web browsing is sandboxed from all native apps.
Back to Goodin:
Meta Pixel and Yandex Metrica are analytics scripts designed to help advertisers measure the effectiveness of their campaigns. Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively.
Every one of the sites that includes these tracking scripts is complicit to some extent in the theft of hundreds of millions of Android users’ web browsing privacy.