{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,13]],"date-time":"2025-07-13T16:40:03Z","timestamp":1752424803552,"version":"3.41.2"},"reference-count":0,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"4","license":[{"start":{"date-parts":[[2025,10,1]],"date-time":"2025-10-01T00:00:00Z","timestamp":1759276800000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["PoPETs"],"abstract":"<jats:p>WebViews are a core component of today's in-app browsing technologies on mobile platforms, playing a central role in rendering web content like mobile advertisements. However, their use and potential to bridge web and mobile tracking paradigms comes at a significant privacy cost for users. Although prior work has highlighted privacy risks associated with WebViews, the real-world scale and privacy impact of their misuse and abuse remain unexplored due to the hybrid nature of WebViews-combining Java, native, and dynamically-loaded JavaScript (JS) code. In this paper, we present the first large-scale empirical study of WebView abuse in Android apps. We analyze how app developers and third-party SDKs facilitate user tracking by configuring WebViews to bypass default platform privacy protections and enable invasive tracking through JavaScript code. Using a novel analysis pipeline that combines static and dynamic analysis of Java\/Kotlin code and JavaScript, we reveal how numerous actors undermine users' privacy and exploit WebViews in the wild. We show that harmful JavaScript code, often distributed via unvetted Real-Time Bidding (RTB) processes, exploits WebViews to perform advanced tracking techniques such as cookie sync-ing, canvas fingerprinting, and misuse of the Java-JS interface and permission-protected JavaScript APIs to silently leak unique user identifiers and geolocation data without user awareness for cross-platform tracking.<\/jats:p>","DOI":"10.56553\/popets-2025-0155","type":"journal-article","created":{"date-parts":[[2025,7,13]],"date-time":"2025-07-13T15:58:27Z","timestamp":1752422307000},"page":"745-762","source":"Crossref","is-referenced-by-count":0,"title":["Tracking Without Borders: Studying the Role of WebViews in Bridging Mobile and Web Tracking"],"prefix":"10.56553","volume":"2025","author":[{"given":"Nipuna","family":"Weerasekara","sequence":"first","affiliation":[{"name":"IMDEA Networks Institute \/ Universidad Carlos III de Madrid"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jos\u00e9 Miguel","family":"Moreno","sequence":"additional","affiliation":[{"name":"Universidad Carlos III de Madrid"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Srdjan","family":"Matic","sequence":"additional","affiliation":[{"name":"IMDEA Software Institute"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Joel","family":"Reardon","sequence":"additional","affiliation":[{"name":"University of Calgary \/ AppCensus"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Juan","family":"Tapiador","sequence":"additional","affiliation":[{"name":"Universidad Carlos III de Madrid"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Narseo","family":"Vallina-Rodr\u00edguez","sequence":"additional","affiliation":[{"name":"IMDEA Networks Institute \/ AppCensus"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"35752","published-online":{"date-parts":[[2025,10]]},"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"deposited":{"date-parts":[[2025,7,13]],"date-time":"2025-07-13T15:58:35Z","timestamp":1752422315000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2025\/popets-2025-0155.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10]]},"references-count":0,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2025,10]]}},"alternative-id":["10.56553\/popets-2025-0155"],"URL":"https:\/\/doi.org\/10.56553\/popets-2025-0155","relation":{},"ISSN":["2299-0984"],"issn-type":[{"type":"electronic","value":"2299-0984"}],"subject":[],"published":{"date-parts":[[2025,10]]}}}