'InAppBrowser.com' that allows you to check whether you are being tracked when you click on a link in the application

A former Google engineer who found a problem with reading user information in the browsers built into Facebook and Instagram iOS apps can easily find out if the apps you are using have similar risks. InAppBrowser.com' is published.



iOS Privacy: Announcing InAppBrowser.com - see what JavaScript commands get injected through an in-app browser Felix Krause

Former Google privacy researcher Felix Klaus said on August 10, 2022 that the browser of the app provided by Meta installed JavaScript code on an external site and monitored what the user entered. clarified. More information on this issue is provided in the article below.

A survey by a former Google engineer revealed that ``Facebook and Instagram apps track users who tapped links in detail''-GIGAZINE

Mr. Klaus, who witnessed that this problem caused a great response and became a topic in various communities, noticed that many people felt that they wanted to check the behavior of the application they were using.

Therefore, Mr. Klaus created ' InAppBrowser.com ', a site that checks whether the in-app browser is doing JavaScript injection . Mr. Klaus has open sourced InAppBrowser.com and published it on GitHub, so anyone can check the code of InAppBrowser.com.

The check method is easy, just access InAppBrowser.com with the app you want to check. For example, in the case of SNS, you can access from posts and DMs including InAppBrowser.com.

I tried checking the Facebook application as a test below. As expected, JavaScript injection was detected.

I also tried it on Twitter.

The result is below. No JavaScript injection was detected on Twitter.

Mr. Klaus's research also detected problems on Facebook, and TikTok didn't even have an 'Option to open in default browser'. In addition, it has been confirmed that Instagram, Facebook Messenger, and Amazon apps modify pages (Modify page) and fetch metadata (Fetch metadata). However, it seems that it is harmless if only metadata is acquired, and there are no security or privacy concerns. On the other hand, we found no issues with the photo-sharing app Snapchat or the investment app Robinhood.

Of particular note is TikTok, according to Klaus, when you open any link in the iOS version of the TikTok app, that link will always be opened in the in-app browser. And TikTok seems to monitor every tap operation performed on the displayed site and every input including passwords and credit card information.

``I don't know what TikTok uses the data for, but from a technical point of view, TikTok is essentially putting a keylogger on a third-party website,'' Krause said. rice field.

On the other hand, the following apps adhered to the use of Safari or

SFSafariViewController that Apple recommends to app developers, and it was not possible to mix JavaScript code.

Mr. Claus said as a method of self-defense, ``Most in-app browsers have a function to open the displayed site in Safari, so use the ``Open in browser'' function as soon as the in-app browser opens. Switch to safer browsing.If you don't have that button, you'll have to copy the URL and open it in any browser.If you can't even do that, it's a little tricky, just press and hold the link, then It is also possible to use the function to copy,' he advised.

in Review,   Software,   Security, Posted by log1l_ks