[German]I'm adding an information that I came across a few days ago. Anyone using apps or services from Meta (Facebook & Co.) or Yandex (Russian, less common in DACH) on Android was tracked. Security researchers have discovered that tracking pixels bypass the sandbox isolation in the browser and transmit users' personal data to apps and service servers. Meta has discontinued this tracking mechanism as of June 3, 2025 after it was discovered.
I read the information first at German site Golem in the article Meta und Yandex de-anonymisieren Android-Nutzer. There is a website in English with the original information and details. The technical facts in a nutshell: The two vendors (Meta and Yandex) are using tracking pixels in the browser under Android to de-anonymize the user. To do this, the Chrome apps and other browser apps are made to send unique IDs to native Android apps.
Android tracking via localhost
Sandboxing in browser apps on Android was actually intended to prevent user data from being leaked to other apps. Using a unique ID generated in the browser, the identity of the user was passed on by the browsers to the native Android apps from Facebook and Instagram as well as to various Yandex apps via localhost.
The user was registered in the respective apps of the providers and was known by name, email and, if applicable, telephone number. Specifically, the aforementioned providers were able to link the user's browser history with the user account used in the app and thus evaluate surfing habits and other details.
The discovery was made by researchers from the IMDEA Networks Institute (Madrid), the Dutch Radboud University and the Belgian University of Leuven. They have set up this website with detailed technical information.
According to the analysis site BuiltWith, the so-called meta pixel is integrated into over 5.8 million websites. Yandex Metrica, on the other hand, can be found on almost 3 million websites. According to HTTP Archive, an open and public data set that performs monthly crawls of ~16 million websites, Meta Pixel and Yandex Metrica can be found on 2.4 million and 575,448 websites respectively. These pixels and web-to-app tracking made the user virtually transparent.
This illegal practice of web-to-app user tracking has been exploited by Yandex since 2017 and by Meta since September 2024. The screenshot above shows that Meta discontinued this practice on June 3, 2025 (7:45 a.m. European time). By disclosing the facts, Meta and Yandex have now been caught – which may have legal repercussions for Meta.
