• Instagram and Facebook can track anything you do on any website in their in-app

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Instagram and Facebook can track anything you do on any website in their in-app

    Author
    Topic
    #2469135

    iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser

    The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.

    What does Instagram do?

    Links to external websites are rendered inside the Instagram app, instead of using the built-in Safari.

    This allows Instagram to monitor everything happening on external websites, without the consent from the user, nor the website provider.

    The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.

    Instagram is purposely working around the App Tracking Transparency permission system, which was designed to prevent this exact type of data collection…

    3 users thanked author for this post.
    Viewing 1 reply thread
    Author
    Replies
    • #2469144

      I don’t use anything Apple.  I don’t use my Android phone for Facebook or Instagram.  Neither Facebook nor Instagram can track non-clicks.  I use both on my PC, but have only close friends and family as “friends”.  The only clicks Facebook or Instagram gets out of me are on pictures posted by my friends themselves, which are hosted on Facebook or Instagram.

      For “Sponsored” links I click the ellipses in the top right, then click “Hide”, click “Irrelevant” as the reason, then click “Hide all ads” from that advertiser.  In other words, I never leave Facebook to visit any external link.

      I also use Facebook Container, “a Firefox add-on that helps you set boundaries with Facebook and other Meta websites. This extension isolates Meta sites (including Facebook, Instagram, and Messenger) from the rest of the web to limit where the company can track you.”

      When I’m finished with Facebook, as I do when I’m finished on any site, I click on my homepage link in the Firefox header, which takes me to Duck Duck Go.  From there I can go to the next site I want to visit without being tracked.

      This means that my internet travels all jump to and from Duck Duck Go, which effectively sheds any tracking cookies that might be trying to hitch a ride.  I sometimes jump through my own web site.  I have multiple ad blocker/tracking cookie blocker extensions in Firefox, as well.

      I don’t get any ads anywhere (other than the Facebook “Sponsored” links, which I get rid of without clicking on them), much less targeted ads.

      Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
      We all have our own reasons for doing the things that we do. We don't all have to do the same things.

      1 user thanked author for this post.
    • #2471208

      iOS Privacy: Announcing InAppBrowser.com – see what JavaScript commands get injected through an in-app browser

      Last week I published a report on the risks of mobile apps using in-app browsers. Some apps, like Instagram and Facebook, inject JavaScript code into third party websites that cause potential security and privacy risks to the user…

      “How can I verify what apps do in their webviews?”

      Introducing InAppBrowser.com, a simple tool to list the JavaScript commands executed by the iOS app rendering the page.

      To try this this tool yourself:

      Open an app you want to analyze
      Share the url https://InAppBrowser.com somewhere inside the app (e.g. send a DM to a friend, or post to your feed)
      Tap on the link inside the app to open it
      Read the report on the screen..

      TikTok monitoring all keyboard inputs and taps

      When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click.

      TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data. (keypress and keydown). We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.
      TikTok iOS subscribes to every tap on any button, link, image or other component on websites rendered inside the TikTok app.
      TikTok iOS uses a JavaScript function to get details about the element the user clicked on, like an image…

      * The new “anti-compatitive” EU and US laws demand Apple to let apps and browsers to run loose on iOS elimination the need to use WebKit.

    Viewing 1 reply thread
    Reply To: Instagram and Facebook can track anything you do on any website in their in-app

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: