In-app browsers like those in Facebook and Instagram are a big privacy risk, developer shows

in-app browsers | Facebook app on an iPhone screen

One of the more annoying things some apps do is incorporate their own in-app browser, opening that for web links instead of respecting your chosen default browser.

This has long been a nuisance, but a developer has now explained the security risks of doing so, especially when dealing with companies not noted for their privacy standards – like Facebook

The nuisance factor of in-app browsers is that they don’t allow us access to our stored data, like usernames and passwords, for auto-login – nor payment info for purchases. That means we have to enter that data manually, instead of letting Safari do it for us.

But the bigger issue, explains Fastlane founder Felix Krause, is the privacy risks of using an in-app browser. He uses Meta as an example.

The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.

He refers to Instagram, but exactly the same things are true of Facebook:

This is a very simple way for Meta to skirt Apple’s App Tracking Transparency rules; it also works for both unencrypted and encrypted websites.

It’s important to note that Krause isn’t able to state what info Meta does extract – he has confirmed only that they do extract something.

I don’t have a list of precise data Instagram sends back home. I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JS SDK without the user’s consent, as well as tracking the user’s text selections. If Instagram is doing this already, they could also inject any other JS code.

In practice, of course, Meta won’t be copying down your passwords and credit card details. But because we can’t tell what info it is extracting, it’s another reason to always jump straight out of in-app browsers into your preferred one.

In the Facebook app, for example, you can hit the three dots bottom-right, then select Open in Browser. If you don’t have that option within an app, there will usually be a Share icon whose options include either this or the ability to copy the link in order to paste it into Safari.

Krause also explains how websites can protect themselves against unwitting participation in this type of data collection.

Until Instagram resolves this issue (if ever), you can quite easily trick the Instagram and Facebook app to believe the tracking code is already installed. Just add the following to your HTML code:

<span id="iab-pcm-sdk"></span>
<span id="iab-autofill-sdk"></span>

Additionally, to prevent Instagram from tracking the user’s text selections on your website:

const originalEventListener = document.addEventListener
document.addEventListener = function(a, b) {
    if (b.toString().indexOf("messageHandlers.fb_getSelection") > -1) {
        return null;
    return originalEventListener.apply(this, arguments);

Finally, he has some recommendations for Apple in order to counter these types of privacy breaches.

Photo: James Yarema/Unsplash

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:



Facebook is the most popular social media service in the world with 2.32 billion monthly active users as of December 31, 2018


Privacy is a growing concern in today's world. Follow along with all our coverage related to privacy, security, and more in our guide.

Instagram Security Safari

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear


Dell 49-inch curved monitor