Tracking Without Borders: Studying the Role of WebViews in Bridging Mobile and Web Tracking

Nipuna Weerasekara; José Miguel Moreno; Srdjan Matic; Joel Reardon; Juan Tapiador; Narseo Vallina-Rodríguez

Tracking Without Borders: Studying the Role of WebViews in Bridging Mobile and Web Tracking

Authors: Nipuna Weerasekara (IMDEA Networks Institute / Universidad Carlos III de Madrid), José Miguel Moreno (Universidad Carlos III de Madrid), Srdjan Matic (IMDEA Software Institute), Joel Reardon (University of Calgary / AppCensus), Juan Tapiador (Universidad Carlos III de Madrid), Narseo Vallina-Rodríguez (IMDEA Networks Institute / AppCensus)

Volume: 2025
Issue: 4
Pages: 745–762
DOI: https://doi.org/10.56553/popets-2025-0155

Download PDF

Abstract: WebViews are a core component of today's in-app browsing technologies on mobile platforms, playing a central role in rendering web content like mobile advertisements. However, their use and potential to bridge web and mobile tracking paradigms comes at a significant privacy cost for users. Although prior work has highlighted privacy risks associated with WebViews, the real-world scale and privacy impact of their misuse and abuse remain unexplored due to the hybrid nature of WebViews-combining Java, native, and dynamically-loaded JavaScript (JS) code. In this paper, we present the first large-scale empirical study of WebView abuse in Android apps. We analyze how app developers and third-party SDKs facilitate user tracking by configuring WebViews to bypass default platform privacy protections and enable invasive tracking through JavaScript code. Using a novel analysis pipeline that combines static and dynamic analysis of Java/Kotlin code and JavaScript, we reveal how numerous actors undermine users' privacy and exploit WebViews in the wild. We show that harmful JavaScript code, often distributed via unvetted Real-Time Bidding (RTB) processes, exploits WebViews to perform advanced tracking techniques such as cookie sync-ing, canvas fingerprinting, and misuse of the Java-JS interface and permission-protected JavaScript APIs to silently leak unique user identifiers and geolocation data without user awareness for cross-platform tracking.

Keywords: Android WebViews, Cross-platform Tracking, Fingerprinting, Mobile Platforms, Privacy

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.