A developer warns that in-app browsers can be a potential privacy risk. Nothing is more annoying than when an in-app browser opens when you click on a link. When you’re in an app, it’s always a pain to click on a link and see the app’s browser open rather than your default browser.
Now, a developer explains how there is security risks in apps having their own browsers. This can be especially bothersome when these app aren’t well known for their privacy standards, such as Facebook.
Developer Shows In-App Browsers Are a Privacy Risk
In-app browsers are often annoying for several reasons. The first being is that they do not allow users to access their data storage, such as usernames and passwords for automated login. Users also can’t access payment information for purchases. This almost always means that users have to enter in this information manually.
According to Fastlane founder Felix Krause, the larger reason not to trust in-app browsers is the inherit privacy risk. According to a report by Fastlane, apps that use the in-app browser, such as Facebook, are able to track all user interaction with external websites. This can include form inputs such as passwords and addresses, to every tap made by the user.
While Krause refers to Instagram within his article, the developer use it as a catch-all for all Meta-related apps. According to the developer:
- Links to external websites are rendered inside the Instagram app, instead of using the built-in Safari.
- This allows Instagram to monitor everything happening on external websites, without the consent from the user, nor the website provider.
- The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.
Essentially, this is an easy way for companies to skirt around Apple’s App Tracking Transparency rules. Astute Apple users know that Cupertino likes to get permission from the user before tracking their data. Safari, for example, blocks third party cookies by default. Additionally, it also works with unencrypted and encrypted websites.
Looking at the Information
Unfortunately, Krause is unable to state what exactly Meta does extract. The developer is only able to confirm that the company does indeed extract information from users.
I don’t have a list of precise data Instagram sends back home. I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JS SDK without the user’s consent, as well as tracking the user’s text selections. If Instagram is doing this already, they could also inject any other JS code.
Obviously Meta isn’t looking to steal credit cards and passwords. However, since it isn’t clear exactly what information they are extracting, it’s a good reason to avoid in-app browsers and substitute your own.
When using the Facebook app, for example, you can hit the three dots on the bottom right and select Open in Browser. Should that not be an option, you can usually find a Share icon that allows you to copy and paste the link.
Krause also provides websites information and code on how to stop apps from collecting user data.
In terms of Apple, Krause stated that company is doing a great job keeping user’s privacy in mind. However, Krause does note that the App Store Review Rules do not prohibit companies and developers from building their own in-app browsers to track users and read their inputs. Apple recommends that developers do not do this, but they do not specifically prohibit it.
Users can read the full report here.
Let me show you my surprised face 😐