from Hacker News

Meta found 'covertly tracking' Android users through Instagram and Facebook

by austinallegro on 6/4/25, 4:00 PM with 93 comments

  • by gnabgib on 6/4/25, 4:11 PM

    Discussion (447 points, 1 day ago, 302 comments) https://news.ycombinator.com/item?id=44169115

  • by runevault on 6/4/25, 5:46 PM

    This type of thing is exactly why I don't go installing apps from every company that wants me to put something on my phone to get "reward points" or the like. Security is never perfect and they clearly want additional data, why else bother with the phone app?

  • by radicalbyte on 6/4/25, 5:32 PM

    Facebook install a rootkit on many Androids which had the ability to send all of you debug-level system logging to Facebook. Even if you never installed their shit. That data can be used to track everything you do on your phone.

    We found this out (I was the first to recreate / prove it) when testing the COVID contact tracing apps in NL, at the time Google were logging the seeds to the main system log. That allowed anyone with access to said logs to build a real-time map of ever Android user in the world who had the GAEN framework installed.

    EDIT:

    Here's the press release in English covering the app shutdown:

    https://nltimes.nl/2021/04/29/coronamelder-app-taken-offline...

    Here's a paper detailing Facebook's access infecting systems with no Facebook installed:

    https://arxiv.org/pdf/1905.02713

  • by kfkdjajgjic on 6/4/25, 4:46 PM

    if (cookies.accepted) { trackUser(); } else { trackUserAnyway(); }

  • by ethagnawl on 6/4/25, 5:28 PM

    If you must use these services, use their websites. The UX is diminished but, at least for me, that's a benefit because it results in me using them less.

  • by jpm_sd on 6/4/25, 5:02 PM

  • by qnleigh on 6/4/25, 5:58 PM

    Do we know how these apps were able to track browser activity? The only clues I see in the article are that it was on a per-website basis, and that it worked in incognito mode.

    I'm especially curious if Google shares any of the blame. Was this a known issue and they assumed no one would actually exploit it, or a subtle bug that only just got caught? Either way it's a huge security vulnerability.

  • by john01dav on 6/4/25, 4:55 PM

    Is this a violation of the computer fraud and abuse act? It seems to me like it might be because they're literally breaking out of a sandbox and viewing data from other apps. Other cases of that (like breaking out of VMs on a cloud provider) are clear violations. Sometimes people see violations of the law by a big corporation against people as less bad than when a single person does the same thing, but that's unreasonable -- if anything the former is more harmful due to potential for scale.

  • by tortilla on 6/4/25, 7:09 PM

    How would you explain this to the layperson or normie?

    It’s like Meta giving every AirBnB host a free toaster as a gift — but secretly, the toaster has a hidden microphone and internet connection that listens in on every guest’s conversation, then beams that info back to Meta.

  • by ChrisArchitect on 6/4/25, 5:19 PM

  • by m463 on 6/4/25, 6:14 PM

    this kind of stuff is everywhere.

    ios does the same thing. when you install an app, they allow deep linking of their urls.

    for example, if you install the amazon app, any amazon link loaded on your phone can be intercepted by it (messages, mail, browser, etc)

    I think the same kinds of things can be done with location services. A store app can do fine-grained bluetooth location with ibeacons in their store.

    I don't know the state-of-the-art in cross-application tracking. I'm pretty sure sdks added to multiple apps can do the same sort of thing.

    At some point a number of years ago, i just stopped installing apps.

  • by sherdil2022 on 6/4/25, 4:14 PM

    Why do companies still risk doing these kinds of things anymore?

    Externally we have some amazing security researchers who look out and dig these things out - and try to hold the companies responsible.

    And what is the internal process? Wouldn't these intrusive and privacy violating features (to track users for ex) be captured in design docs, emails, chats, code changes/PRs - and up for discovery? Aren't employees saying anything against these features? What culture are they building? What leadership are they demonstrating? It can't all be about money by any cost damn the users and their privacy/rights, right?

  • by iammrpayments on 6/4/25, 5:30 PM

    I have no idea how that meta is so successful, managing ads in their business dashboard is such a painful experience that I gave up testing new ads after a while. They also keep trying to push features designed to make you spend more money once your ad is running and their “representatives” will keep calling you with “strategies” but 99% of the time they have 0 idea on how it works. If your account gets banned good luck finding a real human being who can solve your issue.

  • by GiorgioG on 6/4/25, 5:08 PM

    I deleted Facebook and Instagram from my iPhone two weeks ago. I'm done getting ads about something my wife and I were discussing just a little while ago (verbal conversation.) That's not targeting, that's an invasion of privacy. Fuck you Meta.

  • by Johnny555 on 6/4/25, 5:23 PM

    >Google, which owns the Android operating system, confirmed the covert activity to Sky News.

    >It said Meta and Yandex used Android's capabilities "in unintended ways that blatantly violate our security and privacy principles".

    Did Google immediately remove these apps with blatant security and privacy violations from their app store?

    I wish there was a way to prevent an app from running in the background.

  • by energy123 on 6/4/25, 5:25 PM

    Time to start imprisoning execs

  • by KingOfCoders on 6/4/25, 5:27 PM

    As long as CEOs don't go to jail, this will not stop.

      CEO MANIFESTO
  Do illegal thing,
  increase revenue,
  bonus for me,
  if caught,
  punishment for the company.