Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’

Researcher shows how Instagram and Facebook’s use of an in-app browser within both its iOS apps can track interactions with external websites.

Users of Apple’s Instagram and Facebook iOS apps are being warned that both use an in-app browser that allows parent company Meta to track ‘every single tap’ users make with external websites accessed via the software.

Researcher Felix Krause, who outlined how Meta tracks users in a blog posted Wednesday, claims that this type of tracking puts users at “various risks”. He warns both iOS versions of the apps can “track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap” via their in-app browsers.

iOS users’ concerns over tracking were addressed by Apple’s 2021 release of iOS 14.5 and a feature called App Tracking Transparency (ATT). The added control was intended to require app-developers to get the user’s consent before tracking data generated by third-party apps not owned by the developer. Infosec Insiders NewsletterKrause said that both iOS apps Facebook and Instagram are using a loophole to bypassed ATT rules and track website activity within their in-app browsers via the use of a custom JavaScript code used in both in-app browsers. That means, when an iOS user of Facebook and Instagram click on a link within a Facebook and Instagram post (or an ad), Meta launches its own in-app browser which can then track what you do on external sites you visit.

Meta’s Use of a JavaScript Injection 

“The Instagram [and Facebook] app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause wrote.

A PCM.JS code, according to the researcher, is an external JavaScript file injected into websites viewed within the in-app browser. The code is used by both apps and enables both apps to build a communication bridge between in-app website content and the host app. Additional technical information regarding the PCM.JS can be found here.

Meta responded to Krause’s research with a statement published by The Guardian:

“We intentionally developed this code to honour people’s [Ask to track] choices on our platforms… The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”

In-App Browsers and Privacy Risks

The use of in-app browsers, whether it be Meta’s or another company’s, presents a host of privacy risks, according to Krause. For starters it could allow a company to collect browser analytics, such as taps, input, scrolling behavior and copy-and-paste data without unambiguous user consent.

In-app browsers could also be used as a loophole by a firm to steal user credentials and API keys used in host services or inject ads and referrals links to siphon ad revenue from websites, the researcher noted. While citing these as examples, Krause is not accusing Meta of any of these actions.

“As my understanding goes, all of [these privacy concerns] wouldn’t be necessary if Instagram were to open the phone’s default browser, instead of building & using the custom in-app browser,” he wrote.

FUD-busting FAQ

While Krause’s research has sparked outrage with privacy activists and he is careful to temper his research with answers to questions raised by his research.

  • Can Instagram/Facebook read everything I do online? No! Instagram is only able to read and watch your online activities when you open a link or ad from within their apps.
  • Does Facebook actually steal my passwords, address and credit card numbers? No! I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it’s possible for a company to get access to data legally and for free, without asking the user for permission, they will track it.
  • Is Instagram doing this on purpose? I can’t say how the decisions were made internally. All I can say is that building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that’s already been built into the iPhone for the past 7 years.

Krause offers advice to privacy-minded users of the apps and suggests that, “whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dots in the corner to open the page in Safari instead.” Safari, he points out, already blocks third party cookies by default.

The researchers is also careful to point out that he does not have a precise list of data both apps send back to Meta. “I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JavaScript SDK without the user’s consent, as well as tracking the user’s text selections,” he wrote.

Apple’s 11-Word Response

In July, Apple upped its privacy game and announced a feature called Lockdown Mode that is said offered as “an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.”

The researcher filed what is called an Open Radar Community Bug Report with Apple last month claiming “iOS Lockdown Mode allows custom in-app webviews, host apps can steal information.”

Apple responded within a comment to the report simply stating “Thanks for your report. This isn’t what Lockdown Mode is for.”

Meta responded directly to Krause’s report stating the PCM.JS JavaScript is used to “helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.”

Meta explained to Krause that it respects Apple’s App Tracking Transparency (ATT) rule, which requires app developers to get permission before tracking. The researcher notes that opting out of Meta’s in-app browser tracking is dependent on a third-party website’s use of what is called a Meta Pixel. A Meta Pixel is a “a snippet of JavaScript code that allows you to track visitor activity on your website,” according to a Meta developer description.

The researcher acknowledges that Meta is following ATT rules.

“According to Meta, the script injected (pcm.js) helps Meta respect the user’s ATT opt out choice, which is only relevant if the rendered website has the Meta Pixel installed,” Krause wrote.

Suggested articles