Comment by ranguna
7 days ago
Tldr because this article has way too much fillers to my taste (but I'm sure there are people out there that enjoy reading that kind of thing):
The native Instagram and meta apps start a server listening on predefined ports when you launch said apps, they eventually run on the background as well. When you are on your browser, whether in private more, not logged, refused or disabled cookies, or anything else that might make you feel like you are not being explicitly tracked, the browser will connect to the locally running servers through webrtc and send all tracking data to said servers from the browser.
The android sandboxing thing is basically about how Android isolates each app and should only allow communication through android intents that inform the user of such inter app communication, such as sharing photos and the like. In this case, the browser is communicating with Instagram and Facebook apps without letting the user know.
The legal infregement here is that this happens even when you refuse to be tracked, which is a violation of GDPR and another law mentioned in the article.
The 32B figure is a theoretical maximum (but they also mentioned 100B+ in the article, which confuses me).
And according to the article, they're using RTC because Android is meant to be hardened against backdooring localhost, but Meta found a loophole that allowed it if over RTC.
The technical details roughly boil down to "your browser lets internet sites talk to local services"; in this case if they cooperate they can identify each other, but cf. https://mrbruh.com/asusdriverhub/
In practical terms this is a privacy leak a couple bits more informative but slightly less robust than "these requests are coming from the same IP address."
Does anyone know how long was this going on, are we talking weeks, months or years?