The research claims Facebook and Instagram can follow users through links from the in-app browsers, monitor activity and potentially record sensitive data.
Meta has been injecting code into its Facebook and Instagram apps which allows it to track user activity, according to new research.
The research comes from developer, privacy researcher and ex-Google engineer Felix Krause, who looked at the iOS apps of both social media platforms.
When a user clicks a link on these apps, they are taken to webpages using an in-app browser, instead of a default mobile browser such as Safari. Krause said these apps can then monitor everything that happens on external websites without the consent of the user.
The apps add JavaScript code into every website shown, including when clicking on ads. Krause highlighted this as a privacy risk for the user.
Injecting custom scripts into third-party websites allows apps to monitor all user interactions, he claimed, such as “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers”.
Krause said he does not have a precise list of what data these apps collect from users, so he did not claim that any sensitive data such as passwords are harvested by Meta.
“Overall the goal of this project wasn’t to get a list of data that is sent back, but to highlight the privacy and security issues that are caused by the use of in-app browsers, as well as to prove that apps like Instagram are already exploiting this loophole,” Krause said.
To detect the code injections, Krause made a tool that monitors all the JavaScript commands that get executed by host iOS apps. He noted that apps such as WhatsApp and Telegram don’t have any commands detected, as they don’t use in-app browsers.
Meta responded to the research and said its procedures follow App Tracking Transparency (ATT) rules set by Apple, according to a tweet by Krause. The company added that the JavaScript code it adds helps aggregate events such as online purchases, before those events are used for targeted advertising or measurement purposes.
“I can’t say how the decisions were made internally,” Krause said. “All I can say is that building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that’s already been built into the iPhone for the past seven years.”
Meta was one of the loudest critics to Apple’s ATT privacy update before it was rolled out, with claims the iOS provider was behaving anticompetitively. Last year, EU antitrust chief Margrethe Vestager warned Apple to give equal treatment to all apps on its platform.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.