Meta’s Pixel and Yandex’s Metrica Trackers Scoff At Android’s Sandbox

We’re Calling Spying De-anonymizing Now?

Two app companies with widespread penetration in the smartphone market, Meta and Yandex, have been caught breaking Android’s sandboxing and pass unique identifiers from your browser to their apps.  This behaviour violates the terms of service for the Google Play marketplace and should be of great concern for anyone with even a modicum of interest in their own privacy; it may well also breach the law in some counties.  Meta has suggested this is just a misunderstanding of those terms on their part, while Yandex hasn’t bothered to make any sort of response to Ars Technica’s inquiries.

The way the two companies break out of the sandbox is by constantly monitoring and sometimes sending traffic over certain ports which are open but not actively used when you browse to a website.  That allows the companies to determine which sites you are visiting and if you are signed into an app like Facebook or one of the many Yandex mobile apps, is able to send that data, along with a unique identifier to that app.  This completely defeats the protection that the Android sandbox offers, letting the companies track your every move on the web.  The researchers who discovered this behaviour also noticed the two companies are constantly working to improve their ability to escape the sandbox and you can get the details on the various ways they are doing so in this post.