Google Raises Concerns Over Data Privacy Violations by Meta and Yandex
In a recent statement, a Google representative indicated that certain practices associated with Meta and Yandex have breached the terms of service for the Google Play marketplace as well as the privacy expectations of Android users. The representative flagged the developers of Meta Pixel and Yandex Metrica for allegedly exploiting features available in multiple web browsers on both iOS and Android platforms in ways that directly contravene Google’s principles of security and privacy.
According to the representative, Google has begun to enact changes aimed at reducing the impact of these invasive methodologies. Furthermore, the company has initiated an internal investigation and is in direct communication with the involved developers to address these concerns.
Meta has not responded to direct inquiries regarding the allegations but provided a statement expressing their ongoing discussions with Google. They acknowledged that there may have been a miscommunication about the application of Google’s policies. In light of these concerns, Meta has decided to suspend the contested feature until a resolution is reached with Google.
Yandex, similarly, confirmed in an email that they are discontinuing the disputed practices and are maintaining dialogue with Google. The company emphasizes its compliance with data protection regulations, asserting that the contested feature does not gather sensitive information and is intended solely for enhancing user personalization in their applications.
The reported issues center around the ways in which Meta Pixel developers have allegedly misused various network protocols for covert data gathering since September. Initially, they directed apps to send HTTP requests through port 12387. A month later, while the data transmission ceased, monitoring of this port continued within the Facebook and Instagram applications.
In November, Meta Pixel adopted a new communication method utilizing the WebSocket protocol over the same port. This approach enables real-time, two-way communication. Additionally, the developers implemented the WebRTC protocol, typically used for audio and video calls, employing a technique known as SDP munging. This process allows for the manipulation of Session Description Protocol data, inserting critical cookie data into connection fields. Consequently, this results in the browser transmitting that information as part of a STUN request to the Android local host, allowing the Facebook and Instagram apps to access and link that data to user identities.
As this situation unfolds, it illustrates the pressing issues surrounding data privacy and security in the realm of mobile applications. The tactics employed, which may relate to initial access and data collection methods outlined within the MITRE ATT&CK framework, highlight the need for businesses to closely monitor their data privacy practices and address any vulnerabilities that could be exploited.
