Subj : Covert web-to-app tracking via localhost on Android
To   : All
From : LWN.net
Date : Wed Jun 11 2025 14:30:08

Covert web-to-app tracking via localhost on Android

Date:
Wed, 11 Jun 2025 13:16:43 +0000

Description:
The "Local Mess" GitHub
repository is dedicated to the disclosure of an Android tracking
exploit used by (at least) Meta and Yandex. While there are subtle 
differences in the way Meta and Yandex
	bridge web and mobile contexts and identifiers, both of them
	essentially misuse the unvetted access to localhost sockets. The
	Android OS allows any installed app with the INTERNET permission to
	open a listening socket on the loopback interface
	(127.0.0.1). Browsers running on the same device also access this
	interface without user consent or platform mediation. This allows
	JavaScript embedded on web pages to communicate with native Android
	apps and share identifiers and browsing habits, bridging ephemeral
	web identifiers to long-lived mobile app IDs using standard Web
	APIs. This backdoor, the use of which has evidently stopped since its 
disclosure,
allow tracking of users across sites regardless of cookie policies or use of
incognito browser modes.

======================================================================
Link to news story:
https://lwn.net/Articles/1024844/


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)

.