by Guy Van Sanden, Founder
For the longest time, people looked at me in surprise when I say that Meta products like Facebook and Instagram but also WhatsApp are spyware. Yes, they track you, yes they are used to build profiles to serve you ads but that’s a normal business model, surely.
Well, it turns out that Meta found a way to bypass the normal Android functionality, which puts App permissions in user hands, to give their apps a way to receive information from sites you visit that have the Meta pixel. That doesn’t sound to bad? Read on.
The exploitation of this hole in Android’s security means that the Meta pixel can always track you (except using any browser that removes the Pixel when loading sites like Brave) and there is no possible way to opt out. Their apps have been turned into malware that always keeps a backdoor open for the tracking code in websites to transmit their stolen data directly to the Meta apps and from there to Meta’s servers.
But it gets worse…
This approach works even if you open an incognito window, even if you use a VPN, even if you block (3rd party) cookies. If you do all these things, Meta still knows that it was you that visited every single one of those pages. This bypasses every possible level of required user consent and there is no other conclusion then to label it malware. This is not just a clever scheme, this is illegal on all levels.
Read here or here for a more technical explanation of how this exploit works. But in a nutshell, they had their malware apps listen on a localhost port meant for internal communication and the embeded pixel in websites would send data to this covert listener, which is why it works regardless of VPN or incognito mode.
So to sum it up, Meta found a security vulnerability and exploited it to steal data it had no consent to take, in violation of numerous laws (the GDPR is just the start).
Given the malicious and deliberate nature of all this, do you really trust a bad actor to keep your chats private? Do you think they somehow won’t monetize what they learn about users on WhatsApp, a service they seemingly give away for free?
The sad conclusion is that there is no way to use apps from bad actors safely and the praised Android security sandbox doesn’t rule out exploits like this. So if you don’t want to be tracked, keep them off your phone (you can use the website versions if you need to), or at the very least run them in an second profile (private space for example). And that goes for WhatsApp as well, but it’s better to drop all of them all together.
Contact us if you would like to explore safe alternatives to WhatsApp (SimpleX, Matrix or Signal) or even Facebook or Instagram
Update 18/06: Iran is calling on it’s citizens to uninstall WhatsApp citing possible spying on users and relaying the information back to Israel by the US. Given the information above, and given that even though WhatsApp’s messages are e2e encrypted, it is reasonable to assume that is the case.
