Security researchers say Meta and Yandex have used Android native applications to listen to local ports, allowing them to link web navigation data to user identities and bypass typical confidentiality protections.
After disclosure, the researchers observed that the Meta pixel script stopped sending data to LocalHost and that the tracking code has been largely deleted. This decision can help Meta avoid a meticulous examination in Google Play policies, which prohibit the collection of secret data in applications.
“We are in discussion with Google to approach poor potential communication concerning the application of their policies,” said a Meta spokesman The register. “By becoming aware of the concerns, we decided to suspend the functionality while we work with Google to solve the problem.”
The Meta spokesman did not respond to a request to develop on the company’s discussions with Google.
What the researchers have found
In a report On Tuesday, computer scientists affiliated with Imdea Networks (Spain), Radboud University (Netherlands) and Ku Leuven (Belgium) describe how the American social media giant and the Russian search engine were observed using native Android applications to collect web cookies data via the apparatus Loopback interface, commonly known under the name of Localhost.
Localhost is a curling address that a device can use to apply for a network. It is commonly used by software developers to test server -based applications such as websites on local hardware.
Researchers – Aniketh Girish (doctoral student), GUNES ACAR (Deputy Professor), NARSEO Vallina -Rodriguez (Associate Professor), Nipuna Weerasekara (Doctoral student) and Tim Vlummens (doctoral student) – said that they found native Android applications, including Facebook and Instagram doors, and Mèches and the wicks of Yandex and the Browser – silently ports for follow -up.
“These native Android applications receive metadata, cookies and commands from the metrics Meta Pixel and Yandex browser browser on thousands of websites,” said computer scientists. “These javascripts take care of user mobile browsers and connect silently with the native applications operating on the same device via local sockets.”
As these native applications access the identifiers of devices such as the Android advertising identifier or to manage user identities in META applications, researchers say they are able to link mobile navigation sessions and web cookies to user identities.
Essentially, by opening local ports which allow their Android applications to receive follow-up data, such as cookies and metadata from the browser, scripts executed in mobile browsers, meta-yandex are able to bypass common confidentiality guarantees such as cookies compensation, incognito mode and the Android application permission system.
The technique also violates the hypotheses concerning the scope of cookies of the first part, which are not supposed to be able to follow the navigation activity on different websites. According to the researchers, “the method we disclose allows the connection of the different cookies _FBP to the same user, which bypass existing protections and performs user expectations.”
Regarding meta, the monitoring process involves scripts associated with Meta-pixelAnalysis code used by marketing specialists to collect data on interactions with websites.
Various APIs and protocols can be used to implement the scheme described App-Web Listening. These include: SDP Munging, which involves manual modification of the session session messages (SDP) before the data is transmitted to the browser; real -time communication protocols Websocket And Webrtc; Traversal session Utilities for Nat (STOM), a address discovery mechanism; And cross using relays around Nat (Turn), a method of restricting router restriction.
The researchers thus describe Meta’s approach:
- The user opens the native Facebook or Instagram application, which is finally sent to the background and creates a background service to listen to traffic entering a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580-12585). Users must be connected to their applications identification information.
- The user opens his browser and visits a website incorporating the Meta Pixel.
- At this point, websites can request consent according to the locations of the website and visitors.
- The Meta Pixel script sends the _FBP Cookie to the Instagram or Facebook application native via webrtc (Stun) SDP Munging.
- The Meta Pixel script also sends the _FBP value to a request with other parameters such as the URL of the page (DL), the metadata of the website and the browser, and the event type (EV) (for example, pageview, addtocart, donation, purchase).
- Facebook or Instagram applications receive the Meta Pixel JavaScript cookie _FBP operating on the browser. Applications transmit _fbp as a graphql mutation to (https: // graphic[.]facebook[.]COM / GRAPHQL) as well as other persistent user identifiers, connecting the ID FBP of users (web visit) with their Facebook or Instagram account.
The researchers observed META implementing this technique from September 2024, transmitting data via HTTP. Third -party developers working with Meta APIs have noted and questioned behavior in forum publications at the time.
The transmission of data based on HTTP using this technique is supposed to finish the following month, but other transmission methods (WebSocket, WebBRTC Stun (W / SDP Munigg), and the webbrtc (W / O SDP Munging) turn) were identified in the following months.
Currently, however, the use of Meta of these techniques seems to have stopped. According to the researchers, “as of June 3, 7:45 am, the Pixel Meta / Facebook script no longer sends packs or requests to LocalHost. The code responsible for sending the _FBP cookie has been almost completely deleted.”
The use by Yandex of follow -up based on local bumps dates back to 2017, according to the researchers.
The register tried to ask Yandex media relations on the demands of researchers, but our investigation was rebounded as spam.
The authors of the report note that their disclosure to suppliers of Android browser has led to several attenuations.
Chrome 137, which shipped on May 26, 2025, includes countermeasures To block the SDP Munging Technique used by Meta Pixel, although these were made available to a user subset participating in a closed field test. A corrective is currently being developed for Mozilla Firefox. Brave is not affected as he Requires consent for Localhost to use. And DuckDuckGo has changed its list of blocks to stop Yandex’s scripts.
Beyond these, the authors suggest a google proposal To create a new “Local Network Access” authorization which could help to mitigate the follow -up -based follow -up in the future. A prior proposal In this sense, he met technical barriers. ®
