A few days ago, developer Felix Krause shared a detailed report on how mobile apps can use their own in-app web browser to track user data. Now Krause is back with a new tool that lets anyone see JavaScript commands injected through an in-app browser.
The platform is called InAppBrowser, and any interested user can access it to check how a web browser embedded within an app injects JavaScript code to track people.
For those unfamiliar, an in-app browser usually comes into action when a user taps on a URL within an app. This way, the app shows the webpage without having to redirect the user to an external browser app, such as Safari or Google Chrome.
However, although these in-app browsers are based on Safari’s WebKit on iOS, developers can modify them to run their own JavaScript code. As a result, users are more susceptible to being tracked without their knowledge. For instance, an app can use a custom in-app browser to collect all the taps on a webpage, keyboard inputs, website title, and more.
Such data can be used to create a digital fingerprint of a person. In most cases, data collected from people on the web is used for targeted advertising. Krause notes that the platform can’t detect all JavaScript commands, but it still gives users more insight into what data the apps are collecting.
How to use the InAppBrowser tool
Using the InAppBrowser tool is quite simple. First, you open an app that you want to analyze. Then you share the URL “https://InAppBrowser.com” somewhere inside the app (you can send it as a DM to a friend). Tap the link inside the app to open it and get a report about the JavaScript commands.
Krause has also tested the tool with some popular apps so that you don’t have to do this. For example, TikTok can monitor all keyboard inputs and screen taps when you open a URL using the in-app browser. Meanwhile, Instagram can even detect all text selections on websites.
Of course, the developer also notes that not every app that injects JavaScript code into an in-app browser does so for malicious purposes, since JavaScript is the basis of many web features. You can find more details about this on Krause’s website.
Update: TikTok’s response to Krause’s allegations
TikTok has reached out to 9to5Mac to provide us with a statement as a response to Krause’s allegations. According to the company, the reports are “incorrect and misleading.” The social network focused on short videos notes that the researcher himself said that JavaScript codes aren’t necessarily used for malicious purposes.
The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”
TikTok spokesperson
According to a TikTok spokesperson, some of the codes used as examples by the researcher are common inputs and aren’t used to collect what users type in the app or in its in-app browser. After all, JavaScript code is commonly used for debugging, troubleshooting, and monitoring the performance of a web page.
The TikTok spokesperson also assured us that the company respects the privacy policies presented to users, and that the app only collects information that users choose to share.
FTC: We use income earning auto affiliate links. More.
Comments