Tracking Without Borders: Studying the Role of WebViews in Bridging Mobile and Web Tracking

Abstract

WebViews are a core component of today’s in-app browsing technologies on mobile platforms, playing a central role in rendering web content like mobile advertisements. However, their use and potential to bridge web and mobile tracking paradigms comes at a significant privacy cost for users. Although prior work has highlighted privacy risks associated with WebViews, the real-world scale and privacy impact of their misuse and abuse remain unexplored due to the hybrid nature of WebViews—combining Java, native, and dynamically-loaded JavaScript (JS) code. In this paper, we present the first large-scale empirical study of WebView abuse in Android apps. We analyze how app developers and third-party SDKs facilitate user tracking by configuring WebViews to bypass default platform privacy protections and enable invasive tracking through JavaScript code. Using a novel analysis pipeline that combines static and dynamic analysis of Java/Kotlin code and JavaScript, we reveal how numerous actors undermine users’ privacy and exploit WebViews in the wild. We show that harmful JavaScript code, often distributed via unvetted Real-Time Bidding (RTB) processes, exploits WebViews to perform advanced tracking techniques such as cookie sync-ing, canvas fingerprinting, and misuse of the Java-JS interface and permission-protected JavaScript APIs to silently leak unique user identifiers and geolocation data without user awareness for cross-platform tracking.