In-App Mobile Browsers Have Hidden Privacy Risks


Browsers built into popular apps like Facebook and Twitter are convenient for users to read a page, but also expose them to broad privacy and security risks, as recent reports have pointed out.

The big picture: In-app browsers allow mobile users to follow links and read web pages without having to leave the app they’re using. But it’s hard to verify who ends up with the data traces created by this browser activity — and that personal information could end up in the hands of the app maker.

How it works: Apple (iOS) and Google (Android) say they apply the same rules to in-app browsers that they apply to any other part of an app they distribute in their app stores: Both companies require app makers to disclose all the information they collect under their privacy policies.

  • Google also says it looks for data collected through the in-app browser as part of its automated analytics of apps submitted to the Google Play Store.
  • Apple policies also prohibit particularly egregious abuse, such as surreptitiously discovering passwords or other private data.

Driving the news: Security researcher Felix Krause recently published a series of findings, including a report on TikTok last week And one watch earlier on Instagram and Facebook – suggesting that many in-app browsers contain code that gives app owners the ability to monitor what users type, click or type.

Between the lines: App developers have the potential to collect more information about users when they use an in-app browser to open links – and this could lead to more hidden data collection and risks of increased security, experts tell Axios.

  • Simple changes to in-app browsers could easily allow platforms to track when someone types, clicks a link or presses the screen, said Nick Doty, senior researcher specializing in Internet architecture at the Center for Democracy and Technology.
  • This is true for all browsers, but with in-app browsers, users typically don’t realize they’ve moved to a different environment that may have different data collection practices. They may just think they’re using their default mobile browser, like Safari or Chrome, Doty told Axios.

Yes, but: It’s hard to say whether TikTok, Facebook, or any other app developer actually uses the data collected from these browsers.

  • ICT Tac said the report’s conclusions are “incorrect and misleading” and that it does not “collect typing or text input” via code identified by Krause.

  • Facebook said so developed the code in question to allow it to honor users’ “do not track” preferences while continuing to send aggregate data for ad targeting purposes.

Our thought bubble: New concerns about In-app browsers underscore how impossible it is for average users to know all the ways they are being tracked online, even if the information is disclosed in privacy policies or elsewhere.

  • Most people don’t read these disclosures. And it’s probably unrealistic to assume that platforms are fully aware of all the data collected about the vast universe of apps they support.

Neither Apple nor Google have commented. if they have seen instances of in-app browsers collecting data beyond what is expected or allowed.

And after: Google and Apple have the opportunity to play a broader role as custodians of their app store ecosystems, either by setting stricter limits or looking more closely at the collection and use of in-app browser data. the app.

  • App store operators could play a bigger role in regulating the data collection practices of apps before they let them into the store, said Justin Sherman, head of research at the Data Brokerage Project. ‘Duke University.
  • Another option: Websites could alert visitors who view their content through an in-app browser, Doty said.
  • Users, on the other hand, have the option of opening links in a standalone browser rather than using the in-app browser.

Comments are closed.