{"id":4525,"date":"2025-06-10T05:01:22","date_gmt":"2025-06-10T05:01:22","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/06\/10\/new-way-to-track-covertly-android-users-html\/"},"modified":"2025-06-10T05:01:22","modified_gmt":"2025-06-10T05:01:22","slug":"new-way-to-track-covertly-android-users-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/06\/10\/new-way-to-track-covertly-android-users-html\/","title":{"rendered":"New Way to Track Covertly Android Users"},"content":{"rendered":"\n<div>New Way to Track Covertly Android Users<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Researchers have <a href=\"https:\/\/localmess.github.io\/\">discovered<\/a> a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught.<\/p>\n<p>The <a href=\"https:\/\/arstechnica.com\/security\/2025\/06\/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers\/\">details<\/a> are interesting, and worth reading in detail:<\/p>\n<blockquote>\n<p>&gt;Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, <a href=\"https:\/\/localmess.github.io\/\">researchers have discovered<\/a>. Google says it\u2019s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.<\/p>\n<p>The covert tracking\u00adimplemented in the <a href=\"https:\/\/www.facebook.com\/business\/tools\/meta-pixel\/\">Meta Pixel<\/a> and <a href=\"https:\/\/ads.yandex\/metrica\">Yandex Metrica<\/a> trackers\u00adallows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. <a href=\"https:\/\/source.android.com\/docs\/security\/app-sandbox\">Android sandboxing<\/a>, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such <span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">as <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Privacy\/Guides\/State_Partitioning\" target=\"_blank\" rel=\"noopener\">state<\/a><\/span><a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Privacy\/Guides\/State_Partitioning\"> partitioning<\/a> and <a href=\"https:\/\/privacysandbox.google.com\/cookies\/storage-partitioning\">storage partitioning<\/a>, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they\u2019re off-limits for every other site.<\/p>\n<\/blockquote>\n<p><i>Washington Post<\/i> <a href=\"https:\/\/www.washingtonpost.com\/technology\/2025\/06\/06\/meta-privacy-facebook-instagram\/\">article<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2025\/06\/new-way-to-track-covertly-android-users.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Way to Track Covertly Android Users Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught. The details are interesting, and worth reading in detail: &gt;Tracking code that Meta and Russia-based Yandex embed into millions of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,1],"tags":[87],"class_list":["post-4525","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-uncategorized","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/4525"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=4525"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/4525\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=4525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=4525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=4525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}