Felix Krause, a researcher, discovered that apps like Instagram, Facebook or TikTok can potentially track everything we do on a web page we view in browsers integrated into their mobile apps. While Google and Apple do a lot to limit the tracking an app or website can do about us in terms of the use of cookies or identifiers, the truth is, There are parts that are technically beyond your control.

And these apps take advantage of something they handle on mobile operating systems: integrated browsers. Unlike apps like WhatsApp, Twitch, Spotify or Slack that open Chrome or Safari by default, system browsers, TikTok or Instagram use their own browsers. And they can choose not to change the websites we visit through them or change their operations and/or appearance by injection of JavaScript. Let’s see what it means.

Know (and potentially collect) every step you take on a website

On the left we can see everything that the code that Instagram injected can do. In the middle we can see how we can prevent this tracking: by choosing to open it with the browser, in this case Safari. On the right we see that the web opened in Safari is not detecting the code injection as it should.

If you’re worried about what each integrated browser can do when you visit a website, Krause has created InAppBrowser.com, an open source website where we can explore if apps are injecting JavaScript code and what they can detect on our screen. It is the mesh we use for captures.

According to Krause, when we open a link they’ve sent us in a direct message on Instagram, for example, or click on an ad that interests us, their browser executes the aforementioned JavaScript injection.

At first Krause said the code didn’t do things like follow links that we clicked on, but later on improved JavaScript detection, every touch on a link, image and other components as well as a selection of text fields etc. He discovered that he could detect.

The researcher further recalls, “The fact that an application injects JavaScript into external websites. that doesn’t mean the app is doing anything malicious“. The problem is, we can’t know. What we do know is that, thanks to Safari, Chrome or extensions that can be used in these browsers, having integrated browser view, these problems do not exist.

As Meta told Krause, they know they are executing code. However, they claim that the JavaScript code they injected (pcm.js) is used to respect user decisions regarding App Tracking Transparency, which is Apple’s policy since iOS 14.5 to prevent apps from tracking us.

That’s all Instagram can know about a website with the code it injects. That doesn’t mean they actually collect it.

In the case of TikTok, Krause has found that through the social network’s integrated browser, it can: see every text entry that occurs on a web page opened with it. You can also see every button, link or image touched on the screen and it has the function of detecting details about the touched items.

As in the example of Instagram, We can’t know if TikTok actually gets the potential information it can with such tools., and in this case they apply treatment on them. What we do know is that they have the ability to do this by not using the default browser and making changes. According to Forbes, the company states that while it acknowledges that functions exist and injects code, it does not use them. According to spokesperson Maureen Shanahan:

“Like other platforms, we use a built-in browser within the app to provide an optimal user experience, but the JavaScript code in question is only used for performance monitoring of this experience, such as debugging, troubleshooting, and checking how fast a page loads or if it fails” .

According to Motherboard, a TikTok spokesperson told them:

“The report’s conclusions about TikTok are false and misleading. The researcher specifically says that the JavaScript code does not mean our app is doing anything malicious, and acknowledges that we have no way of knowing what kind of data our in-app browser is collecting.” We do not collect keystrokes or text inputs through this code used for performance monitoring.”

Translation with the free version of the translator www.DeepL.com/Translator

What can we users do?

Opening Instagram links in Safari or any other browser is the solution to avoid potential app tracking.

Given the likelihood of what we do being recorded, who really cares about their privacy (or at least wants to protect it as much as possible), here’s what you can do: open links outside of internal browsers.

So, when there is an “Open in Safari” or “Open in Chrome” button, ideal is to use this button, first of all, I found that the content we will see is more sensitive to us than the account. If there is no such possibility, the ideal is to copy the link and open it manually from outside. Some apps let us choose which browser to open links from within their apps, but these are few.

Krause’s tool tells us this about TikTok’s built-in browser.

The problem is, for example, TikTok doesn’t even allow “Open in Safari” optionwhere users have slightly less freedom of movement.

We contacted TikTok and Meta to find out their versions from Xataka. We will update the article when we receive a response..