Core Insights - An international research collaboration has revealed potential privacy abuses involving Meta and Yandex, where native Android apps listen on local ports to de-anonymize users' browsing habits without consent [3][4][6] Tracking Mechanism - Meta's Pixel and Yandex Metrica have embedded tracking codes in millions of websites, allowing them to map Android users' browsing habits to their persistent identities, bypassing Android's privacy protections [4][6] - The tracking practices have been ongoing since 2017 for Yandex and September 2024 for Meta, affecting a significant number of users due to the widespread installation of these tracking tools [6][10] Technical Details - Under Android's permission model, apps with INTERNET permission can create local web servers, enabling them to communicate with browsers and capture user data [7][8] - Meta's Pixel uses localhost channels to share browser identifiers with native apps like Facebook and Instagram, linking data to users' logged-in accounts [9] - Yandex's AppMetrica SDK captures web tracking data and aggregates it with mobile identifiers, creating enriched user profiles [10][11] Research Findings - The research team has disclosed these issues to browser vendors, who are working on mitigations, with Chrome's response expected soon [5][16] - Yandex apps have been observed to wait up to three days post-installation before activating their tracking mechanisms, potentially to evade detection [12] Recommendations for Prevention - The research suggests that mobile platforms and browsers need to overhaul their handling of local port access to prevent such abuses [13][14] - There is a call for stricter platform policies and vetting processes to deter similar tracking methods by other services [14][15] Industry Impact - The findings highlight a significant gap in privacy protections for Android users, with many website operators unaware of the tracking methods employed by Meta and Yandex [14][16] - The unprecedented nature of cross-platform tracking by these companies raises concerns about user privacy and the need for better transparency [16]