According to his announcement the development of the tool was triggered by his own report on the risks of mobile apps using in-app browsers. Instead of opening links to external websites in the default browser of the device, many apps render these links inside their own app. More importantly, those apps rarely offer an option to use a standard browser as default, instead of the in-app browser. Since it would be a lot easier for a developer to implement the use of an already present browser, there must be a reason they want you to open the links inside the own app.
Well, one of those reasons is that they can inject their own code into the website they just opened, which allows them to collect all the taps on a webpage, keyboard inputs, website title, and more. This is a privacy risk as such data can be used to create a digital fingerprint of a person. App-makers also claim, with some truth, that users do not like to hop from app to app—leaving their current environment only to be brought to another environment, like a separate web browser, when, for instance, shopping online.
How to use
Unsurprisingly, Instagram and Facebook have the ability to track interactions like searches, clicks, screenshots, and “form inputs.” Form inputs are a big deal since they can include things like passwords and credit card numbers. According to Meta’s response to Krause’s report, the injected script helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.
One small bonus point for Facebook and Instagram is that they offer you the option to open third-party links in another browser (use that option!), which is more than we can say for TikTok.
This should not come as a surprise, given that the FCC already called TikTok an unacceptable security risk. When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. There is no alternative. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click. There is no way to know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites. TikTok confirmed that those features exist in the code, but said that it is not using them.
There are some legitimate reasons for apps to use an in-app browser, but these should be limited to first party content. In which case the publisher still should offer the user the option to open the content in another browser or an explanation as to why that is not possible. Such reasons do not exist when it concerns third-party content and such content should always be opened in the browser that the user prefers to use.
The inappbrowser tool is unable to show you everything that is going on for a couple of reasons, so a green checkmark is no guarantee.
- The tool cannot detect other app tracking that may occur, such as custom gesture recognition, screenshot detection, or tracking of web request events.
The article and the tool are focused on iOS, because the developer feels he is not knowledgeable enough to talk about the Android side of things, but you can rest assured that the apps you shouldn’t trust will be the same on either platform.