In early June this year, a research document was released that was covered by a few technical publications, but frustratingly didn't receive nearly enough attention in the mainstream press.

The research by a team of five security academics discovered that Meta had set up their apps to circumvent online anonymity for their users. Take a moment to let that sink in.

Researchers apparently observed Meta's Pixel tracking code was largely removed and stopped sending data on the same day the research was made public. “Why did Facebook stop using this technique on the day of your public release?”, the research document rhetorically asked: “We don’t know, but we're happy to see that Android users are no longer affected by this type of abuse after our disclosure (for now).”

Make no bones about it: users of these apps should be paying close attention to this type of announcement. The effect of circumventing otherwise standard security controls on Android devices is nothing short of sinister.

Part of the often tacit agreement with service providers is that they operate within their own defined parameters: they run their services using the documented permissions allocated to an app or browser, they should not add JavaScript to webpages which surreptitiously connects back to an app on someone's Android device, apparently solely for the purpose of tracking a user's online activities.

Russians Acting Similarly

The research report also noted that Yandex, Russia's search engine, was doing exactly the same thing until the research became public. One key difference in their approach was they closed down the tracking functionality for three days, in order to avoid detection, after the app was installed.

Without security researchers earning their keep, end-users would never have known that such clandestine behaviour was taking place. The proliferation of apps being installed on smartphones is ideal for convenience, but acts as a magnet for both virtual and physical thieves.

If having your phone snatched from you whilst walking down the street was not already on your mind, it probably should be. Sadly these days such worries are in addition to having your personal data extracted unknowingly by US tech giants who operate under trustworthy brands.

Bypass Security Controls

The research around the covert Android activities offers detailed information about the way Meta and Yandex bypassed established security controls for the purpose of tracking users with real-world identifiers. The level of detail is indicative of the quality of research and should be treated as a call-to-arms for end-users and security personnel alike.

The research stated: “This tracking method defeats Android's inter-process isolation and tracking protections based on partitioning, sandboxing, or clearing client-side state.”

The covert tracking meant that even if you were clearing your browser cookies and viewing websites in incognito mode, these organisations knew exactly who you were and what you were doing online.

Since disclosure of this research was made, browser vendors have been scrambling around to introduce patches to guard against these nefarious tactics to remove anonymity online. Ensuring that every base had been covered by the researchers, in order to prove that the behaviour was purposely stealthy: "We found no public technical documentation from Meta or Yandex describing this specific localhost-based communication technique.”

The act of obfuscating the tracking method should be worrying to all users of Facebook and Instagram. Should Apple device users get too comfortable, the research notes: “No evidence of abuse has been observed in iOS browsers and apps that we tested. That said, similar data sharing between iOS browsers and native apps is technically possible.” 

Fundamentally, it is no longer possible to trust software from well-known brands on our smartphones or tablets, instead we need to remain vigilant and scrutinise every app that we use.

With the introduction of agents from ChatGPT recently having been announced, where tasks can be more easily automated directly from end-user devices, we have another type of threat looming. Simplified, feature-filled end-user automation should be considered a ticking time bomb.

Imagine, for example, realising months later that an automated task was sending bank records to a bad actor from your tablet every midnight, after you set up an innocuous task to summarise your daily emails, and forget you were using the agent’s functionality. 

Educating end users is a priority, and even more so now, as the brave new world of AI takes a firmer hold.

Chris Binnie Security consultant

Chris Binnie is a cloud native security consultant, who has worked with critical online infrastructure for almost three decades. Edinburgh-based, he has written three cybersecurity books, written extensively for Linux.com and been a writer for Linux Magazine and ADMIN Magazine for around 15 years.