‘HyTrack’ could spy on Android users Researchers at TU Braunschweig discover new tracking method

Researchers at Technische Universität Braunschweig have discovered a new method of tracking users on the internet. This involves transferring tracking, as we already know it from website tracking, to Android apps. The method, which the scientists call ‘HyTrack’, could enable advertisers to track users across different apps and the web browser. They have published their research in a paper that they will present at the ‘USENIX Security 2025’ conference in Seattle, USA, in August 2025.

‘HyTrack’ could enable advertisers to track users across different apps and the web browser. Credits: Kristina Rottig/TU Braunschweig

When we visit websites, read articles online and interact with advertisements, our activities are constantly being tracked. Companies and website operators collect data on users’ online behaviour through web tracking. Tracking through cookies or pixel tags helps website operators to better understand their visitors, for example, to make websites more user-friendly, but also to personalise advertising through movement profiles.

While proponents of tracking point to customised content and an improved user experience, privacy advocates warn of the risks to privacy. Professor Martin Johns, head of the Institute for Application Security at TU Braunschweig, also warns of this and a new type of tracking: ‘’HyTrack’ is a major threat to data protection and user privacy. But the good news is that we seem to have discovered the technology before the tracking and advertising industry. In three large-scale studies and one qualitative study, we have not yet been able to find ‘HyTrack’ in the wild.”

How does HyTrack work?

The tracking method is based on a new browser feature – custom tabs. These allow special browser windows to be opened directly in an app that uses the same storage and session state as the regular smartphone browser. This allows users to remain logged in to websites, for example, even when accessing them via different apps. What was intended as a convenience feature can, however, be misused for questionable tracking purposes.

The method discovered by the researchers takes advantage of the fact that custom tabs share the browser’s cookie storage. This allows a tracking company to assign an identifier (ID) to the user – independently of the Google advertising ID (Google AD-ID), which enables app developers to measure user behaviour across different media sources. The advertising ID can be reset and deleted by users.

Tracking method difficult to shake off

Particularly worrying: ‘’HyTrack‘ can even recover after a browser memory wipe or a reinstallation of affected apps,” says Malte Wessels, research associate at the Institute for Application Security and first author of the study. “If an app uses a special variant of custom tabs known as ‘Trusted Web Activities’, these open in full-screen mode – keeping the tracking hidden.” The researchers tested the method in ten different browsers and on six Android versions. The result: all browsers that support custom tabs are affected by ‘HyTrack’.

There is at least one piece of good news: so far, there is no evidence that this technique is already being used by tracking services. Nevertheless, the scientists warn that it would be easy for advertising networks and other data companies to implement it. They therefore recommend that browser developers quickly fix this vulnerability and advise users to install an ad blocker in their browser in the meantime to at least partially protect themselves from unwanted tracking.