Meta and Yandex Have Both Been De-Anonymizing Android Users’ Ostensibly Sandboxed Private Web Browsing Identifiers

John Gruber over at Daring Fireball reporting on the discovery of Facebook tracking Android users:

These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.

And in a follow up post:

I’ll note that among the so-called “interoperability” requirements the European Commission is demanding of iOS is for third-party apps to run, unfettered, in the background, because some of Apple’s own first-party software obviously runs in the background. And I’ll further note that Apple made clear, back in its December 2024 report laying out its objections to the EC’s demands, that:

No company has made more interoperability requests of Apple than Meta. In many cases, Meta is seeking to alter functionality in a way that raises concerns about the privacy and security of users, and that appears to be completely unrelated to the actual use of Meta external devices, such as Meta smart glasses and Meta Quests.

I don’t have Facebook or Instagram on my phone. If I want to use those services (which is very rarely lately), I’ll load them in a private browsing tab.

The one Facebook app I have installed on my phone is WhatsApp, which I only use occasionally. I restrict it by disabling it’s ability to run in the background through iOS settings and usually force quit it when I’m done. Some people think disabling background refresh prevents the app from sending you notifications, but that isn’t the case.