A New Open Source Tool Displays Code Injected Into Websites By In-App Browsers


Some mobile applications have built-in browsers that enable users to access other websites rapidly. Other applications have their own browsers that they might use to load the resources they require to carry out certain tasks. These internal browsers might also provide privacy and security problems, though. This month, researcher Felix Krause claimed in a blog post that the iOS apps for Instagram and Facebook could track everything a user did on an external website they visited using the app’s built-in browser. This assertion was supported by the JavaScript code that the applications inserted into the website that the in-app browser displayed.

Later studies revealed that TikTok also injects JavaScript code, changing the content of external websites accessed via the social networking app. TikTok appears to be keeping track of all keystrokes and screen taps, which might allow the corporation to gather passwords and other private data inputted into the built-in browser. According to Meta, the company is injecting the code as part of an App Tracking Transparency (ATT) method to support respecting users’ privacy preferences. The keylogging code is real, according to TikTok, but it’s not being used.

Krause claims that his investigation reveals the possible security and privacy problems related to in-app browsers injecting JavaScript code into external websites. To inspect what code is being executed through these in-app browsers, he last week created an open source, free tool that anyone may use. When the website inappbrowser.com is accessed through an in-app browser, the online tool known as InAppBrowser shows the JavaScript code that is injected. It also explains the functions of each command.

Krause said that while the tool can offer some helpful information, it is limited in its ability to identify all JavaScript that is executed by the browser and is unable to provide any details regarding tracking strategies that are implemented using native code. Some programmes can also conceal their JavaScript operations, for example by using Apple’s WKContentWorld object, which is intended to keep programmes separate from the websites and scripts they access.


Please enter your comment!
Please enter your name here