As explained by The Register, Hacker News, and elsewhere, all of the apps created by Meta (formerly Facebook) are exploiting a permission in the Android operating system to track everything you do on mobile web browsing apps such as Chrome, Firefox, and even partially DuckDuckGo. According to LifeHacker, the mobile web browser Brave successfully blocked the tracking. I could not find any information about other web browsers such as Vivaldi or the many additional Firefox flavors.

Meta knows every website you visit that has the Meta Pixel installed.

And who you are.

So how is Meta doing this exactly? First, let’s talk about apps. The Instagram app only allows you to post via mobile app which is additionally nefarious. When Meta’s apps are installed on your phone, it will continually run in the background as a service. This grants the app additional privileges. For a popular example, YouTube didn’t always use to be able to make a video play while you were using another app. It was rewritten some time ago as a service, as opposed to a normal app, and now it can play both audio or picture-in-picture while you use your phone and other apps because it has more permissions. This is the type of app that Facebook and Instagram are.

Android services have access to what is referred to as localhost. Think of it like the local device hosting the app – it is an address which loops back to your phone. The address is 127.0.0.1 in web browsing – it points back to your own computer. If you were hosting a service on your computer, it would open service when you type “127.0.0.1” into the address bar of your web browser. This is very useful for developers, both on a mobile phone or computer, especially for testing network programming.

Wild Hemlock Will NEVER Install a Meta Pixel Script!

Instead of using localhost for testing purposes only, Meta’s apps continually listen for you to access a website which has a Meta Pixel script installed. This is typically used for analytics and advertising in a supposedly anonymized format, similar to Google Analytics. It only de-anonymized data when you are currently logged in to a Meta product. Which, to be truthful, is creepy enough. When you browse a website which has this script installed, it pings the Meta app by abusing the app’s localhost access permissions. This sends your browser metadata to Meta, including your account from your Facebook or Instagram App.

This means that while you have Facebook or Instagram installed on your phone, Meta knows every website you visit that has the Meta Pixel installed. And who you are.

When using Instagram, I installed the app under a “work profile” on Android using an open source app called Island in the F-Droid app store. It sounds complicated, but it is the same thing as having more than one user account on your computer. Theoretically most data should not be shared between user accounts and my data should be insulated from the Instagram app (especially since I use Brave browser on mobile), but…. Is it really safe? I don’t trust it. There is no need for that on my phone.