Meta and Yandex Disclosure: Covert Web-to-App Tracking via Localhost on Android

It’d be difficult to make work reliably on iOS due to how it handles background processes. Processes can’t just hang around forever, they’re expected to quickly and efficiently finish their task and close until their next scheduled run (which is determined by the system — devs can request to run whenever they want, but processes that are badly behaved get downranked and run less often). If its task is taking too long the system unceremoniously kills the process.

This is limiting and makes implementing programs like Syncthing more challenging but also helps keep the battery eaters and eternal listeners until control.

Thanks! Macroexpanded:

"Localhost tracking" explained. It could cost Meta €32B - https://news.ycombinator.com/item?id=44235467 - June 2025 (274 comments)

Meta found 'covertly tracking' Android users through Instagram and Facebook - https://news.ycombinator.com/item?id=44182204 - June 2025 (93 comments)

Meta pauses mobile port tracking tech on Android after researchers cry foul - https://news.ycombinator.com/item?id=44175940 - June 2025 (28 comments)

Covert web-to-app tracking via localhost on Android - https://news.ycombinator.com/item?id=44169115 - June 2025 (344 comments)

Yes, I rely on this for my internal app to serve scriptlets to ublock origin. I hope they won't take it away, at least make it possible for the user to keep this behaviour..

I also rely on this for another internal app that opens a rsync server..

Essentially, yeah.

Chromecast and Netflix have done this for a while now to facilitate some sort of hand-off.

I don’t have the details handy, but a few years ago I was `adb shell` into my device to debug something untreated and did a quick `netstat` and noticed a few ports that were open / did not expect. Tracked them down to Netflix, specifically.

Yes, this permission allows that. Docs say: “Allows applications to open network sockets.”[1], full description seems to be[2]:

> Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.

[1]: https://android.googlesource.com/platform/frameworks/base/+/...

[2]: https://android.googlesource.com/platform/frameworks/base/+/...

It is not a sane way. It is a drain on humanity. It is only done because it is allowed/accepted and that will not change by living with it.

Why do you support lawlessness when it's done by a business?

Is your position really that if there is a selfish motive, it justifies the crime - or only as long as it is done by elite businesses?

Why are you against calling it out such that we can protect ourselves from it? Meta immediately stopped this behavior once it was disclosed.

Also https://en.wikipedia.org/wiki/PRISM is not a conspiracy theory

I'm not required to give something up simply because a corporation decides they wish to take it.

Keeping tabs on how Meta et al are tracking people, allows those who care to avoid it.

You clearly don't care about what corporations are doing; why do you care so deeply what other people are doing about what corporations are doing?

This article is a counterexample to the helplessness you advocate. This research forced Meta to stop doing it. There is no cosmic law that says they must track or that we have to allow them to do so.