In-app browsers like Facebook pose a significant privacy risk


One of the most annoying things some apps do is incorporate their own in-app browser, opening it for web links instead of honoring your chosen default browser.

This has long been a nuisance, but a developer has now explained the security risks of doing so, especially when dealing with companies that aren’t known for their privacy standards – like Facebook…

The nuisance factor of in-app browsers is that they do not allow us to access our stored data, such as usernames and passwords, for automatic login – nor payment information for purchases. This means that we have to enter this data manually, instead of letting Safari do it for us.

But the biggest problem, explains Expressway founder Felix Krause, is the privacy risks of using an in-app browser. It uses Meta as an example.

The Instagram and Facebook iOS app displays all third party links and advertisements within their app using an in-app browser. This brings various risks to the user, as the host application can track every interaction with external websites, from all form inputs such as passwords and addresses, to every click.

It refers to Instagram, but the exact same things apply to Facebook:

  • Links to external websites are rendered within the Instagram app, instead of using the built-in Safari.
  • This allows Instagram to monitor everything that happens on external websites, without the consent of the user or the website provider.
  • Instagram app injects their tracking code in every website viewed, including when you click on advertisements, allowing them to monitor all user interactions, such as every button and link typed, text selections, screenshots, as well as all form entries , such as passwords, addresses and credit card numbers.

This is a very simple way for Meta to circumvent Apple’s application tracking transparency rules; it also works for unencrypted and encrypted websites.

It is important to note that Krause is unable to indicate what Meta Information Is extract – he only confirmed that they extract Something.

I don’t have a list of specific data that Instagram sends home. I have evidence that Instagram and Facebook apps are actively running JavaScript commands to inject additional JS SDK without user consent, as well as tracking user text selections. If Instagram is already doing this, they could also inject any other JS code.

In practice, of course, Meta will not copy your passwords and credit card details. But because we can’t tell what information it is Extraction is another reason to always jump straight from in-app browsers to the one you prefer.

In the Facebook app, for example, you can tap the three dots at the bottom right, then select Open in Browser. If you don’t have this option in an app, there will usually be a Share icon whose options include this or the ability to copy the link in order to paste it into Safari.

Krause also explains how websites can protect themselves against unwitting participation in this type of data collection.

Until Instagram fixes this (if ever), you can quite easily trick the Instagram and Facebook app into believing that the tracking code is already installed. Simply add the following to your HTML code:

Additionally, to prevent Instagram from tracking user text selections on your website:

const originalEventListener = document.addEventListener
document.addEventListener = function(a, b) {
    if (b.toString().indexOf("messageHandlers.fb_getSelection") > -1) {
        return null;
    return originalEventListener.apply(this, arguments);

Finally, there are some recommendations for Apple to counter these types of privacy breaches.

Photo: James Yarema/Unsplash

FTC: We use revenue-generating automatic affiliate links. After.

Check out 9to5Mac on YouTube for more Apple news:


Comments are closed.