Earlier this month it was revealed that popular mobile applications with integrated browsers injected custom JavaScript into visited sites. Facebook, Instagram and TikTok all use code injection techniques to virtually track anything that app users do on any website that is opened in the in-app browser.
The companies that own the offending applications benefit from this in several ways. First, because everything happens entirely behind the scenes, without most users suspecting any of that. Second, because the in-app browsers do not support content blockers or reveal privacy information when used.
Most companies use in-app browsers and code injections for tracking and monetization purposes, but some may use code to monitor all user activity, including all keystrokes.
Felix Krause created the website InAppBrowser, which is designed to reveal to the user if an in-app browser is injecting code.
Here is how it works:
- Open the application that you want to analyze.
- Use share functionality inside the application to get the link https://InAppBrowser.com into the app. You may DM a contact or post publicly.
- Open the link that has just been shared or posted.
- Check the report that is displayed.
The website reveals if it detected JavaScript code injections and how it rates these injections. For TikTok, the website reveals the following:
- Adds CSS code, allows app to customize appearance of website.
- Monitors all taps happening on websites, including taps on all buttons & links.
- Monitors all keyboard inputs on websites.
- Gets the website title.
- Gets information about an element based on coordinates, which can be used to track which elements the user clicks on.
Instagram, another popular application, injects JavaScript code as well. While it does not monitor keyboard inputs, it does monitor all JavaScript messages and all text selections, and injects external JavaScript code.
All detected JavaScript commands are listed as well for deeper inspection.
You can check out the blog post, which offers additional details.
Krause notes that the site may not detect all code injections or all executed JavaScript commands. Also, it does not detect native code, which apps may use as well.
Protection against invasive in-browser apps
Mobile app users have just a few options. Besides the obvious, removing the app from the device, they may be able to redirect links to other browsers on the device. Not all apps support that though. The use of DNS-based content blockers may not help as much either, at least not against the potential reading of keystrokes or other activities unrelated to the display of ads or tracking.
Now You: Do you use apps with in-app browsers?
Thank you for being a Ghacks reader. The post InAppBrowser reveals if TikTok, Instagram and other apps with browsers inject their JavaScript appeared first on gHacks Technology News.
0 Commentaires