One of the more annoying things some apps do is incorporate their own in-app browser, opening that for web links instead of respecting your chosen default browser.
This has long been a nuisance, but a developer has now explained the security risks of doing so, especially when dealing with companies not noted for their privacy standards – like Facebook …
The nuisance factor of in-app browsers is that they don’t allow us access to our stored data, like usernames and passwords, for auto-login – nor payment info for purchases. That means we have to enter that data manually, instead of letting Safari do it for us.
But the bigger issue, explains Fastlane founder Felix Krause, is the privacy risks of using an in-app browser. He uses Meta as an example.
The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.
He refers to Instagram, but exactly the same things are true of Facebook:
- Links to external websites are rendered inside the Instagram app, instead of using the built-in Safari.
- This allows Instagram to monitor everything happening on external websites, without the consent from the user, nor the website provider.
- The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.
This is a very simple way for Meta to skirt Apple’s App Tracking Transparency rules; it also works for both unencrypted and encrypted websites.
It’s important to note that Krause isn’t able to state what info Meta does extract – he has confirmed only that they do extract something.
I don’t have a list of precise data Instagram sends back home. I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JS SDK without the user’s consent, as well as tracking the user’s text selections. If Instagram is doing this already, they could also inject any other JS code.
In practice, of course, Meta won’t be copying down your passwords and credit card details. But because we can’t tell what info it is extracting, it’s another reason to always jump straight out of in-app browsers into your preferred one.
In the Facebook app, for example, you can hit the three dots bottom-right, then select Open in Browser. If you don’t have that option within an app, there will usually be a Share icon whose options include either this or the ability to copy the link in order to paste it into Safari.
Krause also explains how websites can protect themselves against unwitting participation in this type of data collection.
Until Instagram resolves this issue (if ever), you can quite easily trick the Instagram and Facebook app to believe the tracking code is already installed. Just add the following to your HTML code:
<span id="iab-pcm-sdk"></span>
<span id="iab-autofill-sdk"></span>Additionally, to prevent Instagram from tracking the user’s text selections on your website:
const originalEventListener = document.addEventListener
document.addEventListener = function(a, b) {
if (b.toString().indexOf("messageHandlers.fb_getSelection") > -1) {
return null;
}
return originalEventListener.apply(this, arguments);
}Finally, he has some recommendations for Apple in order to counter these types of privacy breaches.
Photo: James Yarema/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments