Meta and Yandex violating privacy of Android users to track data: Report

A group of researchers have found that Meta and Russia-based search engine Yandex are bypassing privacy protections to track Android user data too closely. A report by Ars Technica has cited the findings saying that the tracking code embedded by Meta and Yandex into websites was sending unique identifiers from web browsing data to localhost ports using native apps installed on a device. 

“These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of websites,” the researchers noted. “These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets.”

The native apps were able to link mobile browsing sessions and web cookies to user identities since they handle device identifiers like the Android Advertising ID and user identities on Facebook and Instagram. 

Sandboxing is one of the primary ways to secure user data by isolating processes and preventing them from interacting with the OS or any other apps installed. Yandex and Meta started breaking the sandbox and bypassing it in 2017 and last September respectively. 

The researchers also found that the trackers, Meta Pixel and Yandex Metrica were targeting only Android users which unlike iOS has lesser restrictions in the app store as well as on the background executions of mobile apps.

Google responded to the report saying they are investigating the violations and that the companies used “capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles.”