Did you know you’re potentially being tracked when you load an in-app browser on iOS? A new tool reveals exactly how, showing how applications like TikTok and Instagram can potentially use JavaScript to view sensitive data, including your address, passwords and credit card information, without your consent.
The tool can be found at InAppBrowser.com. All you need to do is open the app you want to check and share the InAppBrowser.com URL somewhere within it — such as DMing the link to a friend or posting it in a comment. From there, you can tap the link and get a report from the website on what scripts are running in the background.
Don’t be intimidated if you’re unfamiliar with tech jargon, as the tool’s developer, Felix Krause, provides some FAQs that explain exactly what you’re seeing. In response to questions on how best to protect yourself, Krause states, “Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser. During this analysis, every app besides TikTok offered a way to do this.”
TikTok responded to the site in a statement, provided earlier to Motherboard and now on Twitter, saying, “The report’s conclusions about TikTok are incorrect and misleading. Contrary to its claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting and performance monitoring.”
Krause is a security researcher and former Google employee who earlier this month shared a detailed report on how browsers within apps like Facebook, Instagram and TikTok can be a privacy risk for iOS users.
In-app browsers are used when you tap a URL within an app. While these browsers are based on Safari’s WebKit on iOS, developers can adjust them to run their own JavaScript code, allowing them to track your activity without consent from you or the third-party websites you visit.
Apps can inject their JavaScript code into websites, allowing them to monitor how the user is interacting with the app. This can include information on every button or link you tap, keyboard inputs and if screenshots were taken, though each app will vary in what information it collects.
In response to Krause’s earlier report, Meta justified the use of these custom tracking scripts by claiming that users already consent to apps like Facebook and Instagram tracking their data. Meta also claims that the data retrieved is only used for targeted advertising or unspecified “measurement purposes.”
“We intentionally developed this code to honour people’s [Ask to track] choices on our platforms,” a Meta spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes.”
They added: “For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”
The tool Krause developed isn’t foolproof. He admits it can’t detect all possible JavaScript commands being executed, and mentions that JavaScript is also used in legitimate development and isn’t inherently malicious. He notes, “This tool can’t detect all JavaScript commands executed, as well as doesn’t show any tracking the app might do using native code (like custom gesture recognizers).” Still, this offers a user-friendly way for iOS users to check on their digital footprint across their favorite applications.
Krause has also made the tool open source, stating, “InAppBrowser.com is designed for everybody to verify for themselves what apps are doing inside their in-app browsers. I have decided to open source the code used for this analysis, you can check it out on GitHub. This allows the community to update and improve this script over time.” You can read more about it on his website.
Update August 19th, 3:34PM ET: Added response from TikTok.