It’s no big secret that tech companies like Meta, TikTok, and Google routinely keep a close eye on as much of its users’ activity as possible, but a new website tool is exposing just how sneakily (and creepily) they go about it. Last week, security researcher and former Google employee, Felix Krause, wrote an article explaining how businesses often inject a JavaScript code into third-party websites visited in apps like Instagram and Facebook to track pretty much everything you do and click. Following his readers’ understandably concerned responses, Krause subsequently built a website called InAppBrowser.com that shows you a sizable chunk of what all these companies can see—sizable, but unfortunately not comprehensive.
[ Related: “You have the power to protect your data. Own it.“ ]
Krause’s InAppBrowser can show you at least some of these shady tracking methods via opening the website inside an app. As he notes in his post, however, “There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used… [InAppBrowser] is stating the JavaScript commands that get executed by each app, as well as describing what effect each of those commands might have.”
To use InAppBrowser, all you need to do is copy its full website address (https://inappbrowser.com/) and paste it as a clickable link within the app of your choice. On Instagram, for example, you could make a dummy post (like an Instagram story created solely for the purpose of hosting the link), send a direct message with the link, or paste the link into your profile bio. Then just click the link within the app to open the in-app browser and see the results.
PopSci tested the site out within Instagram and received the following report:
As The Verge explains, “In-app browsers are used when you tap a URL within an app. While these browsers are based on Safari’s WebKit on iOS, developers can adjust them to run their own JavaScript code, allowing them to track your activity without consent from you or the third-party websites you visit.” Which, of course, is exactly what happens. Everything from keystrokes, to highlighted text, to clicked links can be monitored, potentially along with more private information like usernames, passwords, and phone numbers. While it can be unpredictable what companies like Meta would be doing with that info, Krause points out that bad actors could potentially exploit the security loophole with their own JavaScript inserts.
[ Related: “Apple pushes for more in-app ads” ]
Even though the InAppBrowser tool isn’t exhaustive, Krause made sure that its entire source code was available open-source on GitHub, a site that allows for future community access, analysis, and improvement. And while it’s unlikely that any of the companies will remove their JavaScript code anytime soon, so in the future it’s best to simply copy whatever link you want to visit and open it within your browser of choice.