Facebook’s In-app Browser Within iOS Apps Track Anything You Do On Any Website

All third-party links and the advertising displayed within the Instagram and Facebook iOS apps are rendered by way of a custom in-app browser that is already built into the apps, discovered by a security researcher, Felix Krause.

It is apparent that this poses a number of risks to the user, as the host application has the capability of tracking every single interaction that the user has with an external website.

The parent company Meta will be able to track the following information:-

• Passwords
• Addresses
• Mobile Numbers
• Every single tap
• Text selections
• Screenshots
• Credit card numbers
• Debit card numbers

What’s the Purpose of Facebook and Instagram?

Here below, we have mentioned the purposes of Facebook and Instagram in points:-

In order to view websites within the in-app browser, PCM.JS code must be injected into the webpage and then displayed through the application. Here, to communicate between the in-app website content and the host app, both apps use the code, and the code serves as a bridge between the two apps.

There is a high degree of privacy risk associated with the use of in-app browsers, whether they are provided by Meta or by another company.

The in-app browser can also be used to steal user credentials, API keys, or referral links to siphon ad revenue from websites, which is another way firms can exploit this security hole to gain access to users’ critical and essential data.

App developers must obtain permission before tracking in a Meta app in compliance with Apple’s ATT rule, as explained by Meta. The ability to choose to opt-out of Meta’s in-app tracking is dependent upon the use of what’s called a Meta Pixel by a third-party website.

While in the case of the WhatsApp app, it does not provide a similar service to third-party websites.