• A security researcher has demonstrated that both Facebook and Instagram apps on iOS insert a custom code while opening links in their in-app browsers.
  • The code circumvents Apple’s privacy protections and can potentially be used to track you on third-party websites as well.
  • Other security experts suggest avoiding the use of in-app browsers and expect Apple to take steps to nullify this workaround.

An open combination lock sitting on top of a smartphone that's laying on the table.

New research has shown that most apps don't use the smartphone's default web browser to open links, which could potentially circumvent the operating system's security and privacy features.

A security researcher, Felix Krause, has shown that Meta’s Instagram and Facebook apps on iOS add some JavaScript code to third-party websites when you visit them using the app’s custom in-app browser. In-app browsers allow people to visit websites without leaving their apps. The inserted code allows the apps to potentially track all your interactions with external websites, bypassing iOS’ App Tracking Transparency (ATT) feature. Apple added ATT specifically to force app developers to get people’s consent before tracking data generated by third parties. 

“Instagram’s workaround isn’t surprising,” Lior Yaari, CEO and co-founder of cybersecurity startup Grip Security, told Lifewire over email. “Apple’s restrictions threaten the core of the company’s business model, so it was a matter of adapting [to] survive.”

Hitting Where It Hurts

Meta has openly admitted that the ATT feature was costing it about $10 billion a year in ad revenue. 

During his research, Krause discovered that when an iOS user of the Facebook and Instagram apps clicks a link within these social networks, they are opened in the in-app browser. 

At minimum, people should not be using in-app browsers to enter any sensitive or confidential information.

He warned that the custom JavaScript code the in-app browser injects enables both apps to potentially track every single interaction with external websites, including everything you type into a textbox like passwords and addresses.

"With 1 Billion active Instagram users, the amount of data Instagram can collect by injecting the tracking code into every third party website opened from the Instagram & Facebook app is a staggering amount," wrote Krause.

The discovery doesn’t surprise George Gerchow, Chief Security Officer and Senior Vice President of IT at Sumo Logic. 

Speaking to Lifewire over email, Gerchow said social media networks have some of the most powerful artificial intelligence and machine learning algorithms in the world, which, when combined with their everlasting attempt to get people to stay on their platforms, becomes a real danger. 

"I strongly believe that Apple has known about this but did not want the publicity," said Gerchow, adding, "[Apple's] Safari is not the safest of browsers either."

An adult using a smartphone and laptop while two school-aged kids do their homework at the same table.

Let the Games Begin

While Krause couldn't examine the code to figure out its real intent, he did demonstrate how apps could work around the ATT restrictions. Yaari thinks this should make Apple stand up, take notice, and perhaps even implement additional restrictions to limit tracking through in-app browsers. 

"It's the start of the cat and mouse game the two companies will play, with the outcome having major industry ramifications," said Yaari.

Tom Garrubba, Director, Third-Party Risk Management Services at Echelon Risk + Cyber, believes Apple appears to have greatly improved its image on addressing privacy matters not just in perception but in action via its coding and deployment.

"Perhaps it'll take a class-action lawsuit, bad PR, and/or a hefty fine for privacy violations for application developers to wake up [to the fact] that they need to bake 'privacy by design' into all aspects of code development and service delivery," Garrubba told Lifewire over email. "I predict inaction by big tech will lead this to a lawsuit or hefty penalty waiting to happen."

In the meantime, to safeguard your privacy, Krause suggests exiting the in-app browser and simply copy-pasting the URL to open in another external browser. 

"At minimum, people should not be using in-app browsers to enter any sensitive or confidential information," suggests Yaari. 

However, our experts acknowledge that it's unlikely many people will actually change their behavior as this could make the user experience more inconvenient. 

"Sadly, since 99.9% of humans suffer from the need for 'instant gratification,' they'll skip this step and open it right in their default browser," said Garrubba. "This is clearly what big tech wants, and they'll most likely get the data they want."

Source