"Facebook's In-app Browser on iOS Tracks 'Anything You Do on Any Website'"

Users of Apple's Instagram and Facebook iOS apps should be aware that both use an in-app browser that allows parent company Meta to track 'every single tap' users make with external websites accessed through the software. According to researcher Felix Krause, who detailed how Meta tracks users, this type of tracking exposes users to various risks. He warns that both the iOS versions of the apps can track every interaction with external websites, from all form inputs like passwords and addresses to every single tap via their in-app browsers. Apple's 2021 release of iOS 14.5 and a feature called App Tracking Transparency (ATT) addressed iOS users' concerns about tracking. The new control was designed to require app developers to obtain the user's permission before tracking data generated by third-party apps not owned by the developer. Krause claims that both the iOS apps Facebook and Instagram are exploiting a loophole to circumvent ATT rules and track website activity within their in-app browsers through the use of custom JavaScript code. When an iOS Facebook or Instagram user clicks on a link within a Facebook or Instagram post (or an ad), Meta launches its own in-app browser, which can then track what you do on external websites you visit. According to the researcher, a PCM.JS code is an external JavaScript file that is injected into websites viewed within the in-app browser. Both apps use the code, which allows them to build a communication bridge between in-app website content and the host app. Using in-app browsers, whether Meta's or another company's, poses a slew of privacy risks. It may enable a company to collect browser analytics such as taps, input, scrolling behavior, and copy-and-paste data without obtaining explicit user consent. In-app browsers could be used as a loophole by a company to steal user credentials and Application Programming Interface (API) keys used in host services, or to inject ads and referral links to siphon ad revenue from websites. Krause is not accusing Meta of any of these actions while citing them as examples. This article continues to discuss Instagram and Facebook's use of an in-app browser within both its iOS apps to track interactions with external websites.

Threatpost reports "Facebook's In-app Browser on iOS Tracks 'Anything You Do on Any Website'"

Submitted by Anonymous on