Source URL: https://www.schneier.com/blog/archives/2025/06/new-way-to-track-covertly-android-users.html
Source: Schneier on Security
Title: New Way to Track Covertly Android Users
Feedly Summary: Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught.
The details are interesting, and worth reading in detail:
>Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities…
AI Summary and Description: Yes
Summary: The text discusses a significant privacy breach involving covert tracking methods deployed by Meta and Yandex on Android devices. It highlights how these companies exploited internet protocols to de-anonymize users, prompting an investigation by Google into the implications for user privacy and security.
Detailed Description: The discovery of covert tracking methods used by Meta and Yandex has raised critical concerns about user privacy and security on Android devices. Here are the major points outlined in the text:
– **Covert Tracking Techniques**: Meta and Yandex were found to embed tracking codes into numerous websites. This approach allowed them to de-anonymize visitors by taking advantage of legitimate internet protocols.
– **Abuse of Functionality**: The tracking mechanism caused web browsers like Chrome to inadvertently send unique identifiers to native apps on users’ devices.
– **Investigation Initiated**: Following the revelation, Google has begun investigating the methods used by Meta and Yandex, underlining the seriousness of the findings.
– **Bypassing Security Protections**: The implemented tracking through Meta Pixel and Yandex Metrica successfully bypassed core security and privacy protections inherent to the Android OS and associated browsers.
– **Android Sandboxing**: Sandboxing is a security feature designed to isolate processes to prevent unauthorized interactions with the operating system or other installed applications. The bypassing of this feature by external tracking could expose sensitive user data.
– **Defenses in Browsers**: Major browsers utilize state and storage partitioning to manage site cookies and related data, ensuring that contents from different domains remain isolated. However, these defenses were circumvented in this case.
The implications of these findings are particularly relevant for professionals in security and compliance, as they indicate vulnerabilities within widely used systems that can be exploited for malicious tracking purposes. Organizations must remain vigilant and update their security strategies to address similar threats and protect user privacy.