Bridges to Self: Silent Web-to-App Tracking on Mobile via Localhost

Abstract

Modern browsers and mobile operating systems leverage sandboxing and process isolation to separate web and app contexts. However, in this paper, we show that these isolation guarantees can be — and had been — broken in practice on Android devices by Meta and Yandex to enable cross-context tracking that bridges web tracking with native identities. Using a combination of large-scale web crawls from USA and EU vantage points and systematic Android app analysis, we characterize a previously undocumented family of web- to-app tracking paradigms that exploit web standards such as HTTP(S), WebSocket, and WebRTC to connect mobile and web contexts on localhost. By linking pseudonymous web cookies to long-lived native user IDs, these channels enable persistent and stealthy cross-context tracking, and de-anonymization. This new technique defeats protections such as cookie clearing, Incognito mode, Mobile Advertising ID (MAID) resets, VPNs, and Android’s work/personal profile separations. We further show that Meta Pixel and Yandex Metrica initiated localhost bridging prior to accepting cookie consent banners. We evaluate browsers’ patching efforts and defenses to these attacks in response to our responsible disclosure, and the upcoming Local Network Access (LNA) permission, which introduces user prompts for accessing localhost and local network addresses. In doing so, we identify additional side-channels that bypass such protections using (i) global-unicast IPv6 addresses in WebRTC; and (ii) mDNS lookups on *.local domains. Our results, together with an enclosed legal analysis, expose structural shortcomings and the need to revisit platforms’ and browsers’ isolation principles, threat and trust models, protocol standards, and app review processes to prevent future cross-context abuse.