Facebook's In-app Browser

All third-party links and the advertising displayed within the Instagram and Facebook iOS apps are rendered by way of a custom in-app browser that is already built into the apps, discovered by a security researcher, Felix Krause.

It is apparent that this poses a number of risks to the user, as the host application has the capability of tracking every single interaction that the user has with an external website.

The parent company Meta will be able to track the following information:-

  • Passwords 
  • Addresses
  • Mobile Numbers
  • Every single tap
  • Text selections
  • Screenshots
  • Credit card numbers
  • Debit card numbers

What’s the Purpose of Facebook and Instagram?

Here below, we have mentioned the purposes of Facebook and Instagram in points:-

  • Instead of using the built-in Safari to display links to external websites, Instagram renders links to external websites inside the app instead.
  • There is a risk that Facebook or Instagram may be monitoring everything that goes on a user’s phone on an external website without the user’s knowledge.
  • The Instagram and Facebook applications inject JavaScript code into all websites they display, including those that appear when you click on advertisements. 
  • It is possible for third-party websites to monitor all user interactions by running custom scripts on third-party websites.

In-App Browsers’ Risk

Apple addressed the concerns of iOS users who were concerned about tracking through iOS 14.5 and a feature called ATT (App Tracking Transparency), released by Apple in 2021.

While to avoid tracking data generated by third-party apps that are not owned by the developer, the new control required app developers to request consent from users before tracking data generated by them.

In order to view websites within the in-app browser, PCM.JS code must be injected into the webpage and then displayed through the application. Here, to communicate between the in-app website content and the host app, both apps use the code, and the code serves as a bridge between the two apps.

There is a high degree of privacy risk associated with the use of in-app browsers, whether they are provided by Meta or by another company.

The in-app browser can also be used to steal user credentials, API keys, or referral links to siphon ad revenue from websites, which is another way firms can exploit this security hole to gain access to users’ critical and essential data.

App developers must obtain permission before tracking in a Meta app in compliance with Apple’s ATT rule, as explained by Meta. The ability to choose to opt-out of Meta’s in-app tracking is dependent upon the use of what’s called a Meta Pixel by a third-party website.

While in the case of the WhatsApp app, it does not provide a similar service to third-party websites.

Rise of Remote Workers: A Checklist for Securing Your Network – Download Free White paper

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.