Research shows how Instagram and Facebook’s use of an in-app browser within both its iOS apps can track interactions with external websites.
Users of Apple’s Instagram and Facebook iOS apps are being warned that both use an in-app browser that allows parent company Meta to track ‘every single tap’ users make with external websites accessed via the software.
Researcher Felix Krause, who outlined how Meta tracks users in a blog posted Wednesday, claims that this type of tracking puts users at “various risks”. He warns both iOS versions of the apps can “track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap” via their in-app browsers.
iOS users’ concerns over tracking were addressed by Apple’s 2021 release of iOS 14.5 and a feature called App Tracking Transparency (ATT). The added control was intended to require app-developers to get the user’s consent before tracking data generated by third-party apps not owned by the developer.
Meta responded to Krause’s research with a statement published by The Guardian:
“We intentionally developed this code to honour people’s [Ask to track] choices on our platforms… The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”
In-App Browsers and Privacy Risks
The use of in-app browsers, whether it be Meta’s or another company’s, presents a host of privacy risks, according to Krause. For starters it could allow a company to collect browser analytics, such as taps, input, scrolling behavior and copy-and-paste data without unambiguous user consent.
In-app browsers could also be used as a loophole by a firm to steal user credentials and API keys used in host services or inject ads and referrals links to siphon ad revenue from websites, the researcher noted. While citing these as examples, Krause is not accusing Meta of any of these actions.
“As my understanding goes, all of [these privacy concerns] wouldn’t be necessary if Instagram were to open the phone’s default browser, instead of building & using the custom in-app browser,” he wrote.
While Krause’s research has sparked outrage with privacy activists and he is careful to temper his research with answers to questions raised by his research.
- Can Instagram/Facebook read everything I do online? No! Instagram is only able to read and watch your online activities when you open a link or ad from within their apps.
- Does Facebook actually steal my passwords, address and credit card numbers? No! I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it’s possible for a company to get access to data legally and for free, without asking the user for permission, they will track it.
- Is Instagram doing this on purpose? I can’t say how the decisions were made internally. All I can say is that building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that’s already been built into the iPhone for the past 7 years.
Krause offers advice to privacy-minded users of the apps and suggests that, “whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dots in the corner to open the page in Safari instead.” Safari, he points out, already blocks third party cookies by default.
Apple’s 11-Word Response
In July, Apple upped its privacy game and announced a feature called Lockdown Mode that is said offered as “an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.”
The researcher filed what is called an Open Radar Community Bug Report with Apple last month claiming “iOS Lockdown Mode allows custom in-app webviews, host apps can steal information.”
Apple responded within a comment to the report simply stating “Thanks for your report. This isn’t what Lockdown Mode is for.”
The researcher acknowledges that Meta is following ATT rules.
“According to Meta, the script injected (pcm.js) helps Meta respect the user’s ATT opt out choice, which is only relevant if the rendered website has the Meta Pixel installed,” Krause wrote.
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.