Covert web-to-app tracking via localhost on Android

The "Local Mess" GitHubrepository is dedicated to the disclosure of an Android trackingexploit used by (at least) Meta and Yandex.

While there are subtle differences in the way Meta and Yandexbridge web and mobile contexts and identifiers, both of themessentially misuse the unvetted access to localhost sockets. TheAndroid OS allows any installed app with the INTERNET permission toopen a listening socket on the loopback interface(127.0.0.1). Browsers running on the same device also access thisinterface without user consent or platform mediation. This allowsJavaScript embedded on web pages to communicate with native Androidapps and share identifiers and browsing habits, bridging ephemeralweb identifiers to long-lived mobile app IDs using standard WebAPIs.

This backdoor, the use of which has evidently stopped since its disclosure,allow tracking of users across sites regardless of cookie policies or use ofincognito browser modes.