This Site Reveals the Scary Things TikTok and Instagram In-App Browsers Can Follow

This Site Reveals the Scary Things TikTok and Instagram In-App Browsers Can Follow

Did you know that you may be tracked when you load an in-app browser on iOS? A new tool reveals exactly how and shows how applications like TikTok and Instagram could potentially use JavaScript to view sensitive data, including your address, passwords and credit card information, without your permission.

The tool can be found at All you need to do is open the app you want to check and share the URL somewhere in it – like DM the link to a friend or post it in a comment. From there, you can tap the link and get a report from the website on what scripts are running in the background.

Don’t be intimidated if you’re unfamiliar with technical jargon, as the tool’s developer, Felix Krause, provides a number of FAQs that explain exactly what you’re seeing. In response to questions about how best to protect yourself, Krause says, “If you open a link from within an app, see if the app provides a way to open the currently displayed website in your default browser. During this analysis, each app except TikTok has a way to do this.”

Krause is a security researcher and former Google employee who earlier this month shared a detailed report on how browsers within apps like Facebook, Instagram and TikTok can pose a privacy risk to iOS users.

In-app browsers are used when you tap a URL in an app. While these browsers are based on Safari’s WebKit on iOS, developers can customize them to run their own JavaScript code, allowing them to track your activity without permission from you or the third-party websites you visit.

Apps can inject their JavaScript code into websites so that they can track how the user interacts with the app. This may include information about each button or link you tap, keyboard input, and whether any screenshots were taken, although each app will differ in what information it collects.

In response to Krause’s earlier report, Meta justified the use of these custom tracking scripts by claiming that users already consent to the tracking of their data by apps like Facebook and Instagram. Meta also claims that the collected data is only used for targeted advertising or unspecified “measurement purposes”.

“We purposely developed this code to honor the people [Ask to track] choices on our platforms,” said a Meta spokesperson. “The code allows us to collect user data before using it for targeted advertising or measurement purposes.”

They added, “For purchases made through the in-app browser, we ask for user consent to store payment information for autofill.”

The tool Krause developed is not foolproof. He admits that it cannot detect all possible JavaScript commands that are executed, and mentions that JavaScript is also used in legitimate development and is not inherently malicious. He notes, “This tool cannot detect all JavaScript commands executed, nor does it show any tracking that the app could do using native code (such as custom gesture recognizers)”. Still, it provides an easy-to-use way for iOS users to monitor their digital footprint in their favorite applications.

Krause also made the tool open source, stating, “ is designed for anyone to verify for themselves what apps are doing in their in-app browsers. I’ve decided to open source the code used for this analysis. you can check it out on GitHub, which will allow the community to update and improve this script over time.” You can read more about it on his website.

#Site #Reveals #Scary #TikTok #Instagram #InApp #Browsers #Follow

Leave a Comment

Your email address will not be published. Required fields are marked *