A researcher has conducted an analysis to see how major companies could track user activity through their mobile in-app browsers, and released a free and open source tool that allows anyone to check what code is being injected by such browsers.
Some mobile applications use built-in browsers to allow users to quickly access third-party websites. Other apps include a browser to load their own resources, which may be needed to perform various activities. However, these internal browsers could also pose security and privacy risks.
Meta said the code is being injected as part of an App Tracking Transparency (ATT) mechanism that helps the company respect users’ privacy choices. TikTok confirmed that the keylogging code exists, but said it’s not actually being used.
Users who are concerned about the potential risks should always open websites in their phone’s browser rather than the in-app browser. Popular apps often provide the ‘Open in browser’ option for this task, or users could simply copy and paste the URL.
Krause also noted that some iOS apps follow Apple’s recommendation and use Safari or the Safari view controller for accessing external websites, and this prevents them from injecting their own code.
The InAppBrowser source code is available on GitHub. The app can work for both Android and iOS applications.