Facebook and Instagram’s in-app browser exploits expose user privacy concerns

ByLance T. Lee

Aug 12, 2022
Facebook’s collection and sale of user data for advertising purposes took a huge hit when Apple introduced its App Tracking Transparency (ATT) feature, with Facebook predicting it will lose $10 billion in revenue this year. However, it looks like Meta, Facebook’s parent company, still has a few behavior tracking tricks up its sleeve. New research shows that Facebook, Instagram, and Messenger mobile apps inject custom script through their built-in browsers.

Some mobile apps open links in an in-app browser, rather than opening them in the user’s default browser app. In the case of iOS, the default browser app is Apple’s own Safari web browser, unless users change it in the device settings. When app developers want their users to briefly view websites without going through the Safari app, Apple recommends developers use SFSafariViewController, which opens a restricted Safari viewport. Nevertheless, Apple does not prohibit app developers from building their own web browsers into their apps, although the company discourages the use of this technique.

Telegram web view (left) vs Instagram web view (right) (Source: Felix Krause)
Meta takes advantage of this allowance by building custom web browsers in its Facebook, Instagram, and Messenger mobile apps that inject JavaScript into web pages. A researcher by the name of Felix Krause has built a tool to detect JavaScript injection and opened this tool in various mobile apps. As expected, apps that use Apple’s SFSafariViewController, like Telegram, don’t inject JavaScript. However, Krause’s tool detected JavaScript injection when opened in custom web browsers built into Facebook, Instagram, and Messenger mobile apps.

At first, Krause thought that these custom built-in browsers might inject the Meta Pixel, which is a piece of JavaScript code that tracks user behavior on websites. However, Meta contacted the researcher via email to clarify that the injected JavaScript code is not the Meta Pixel, but rather a script named pcm.js. The pcm.js code includes comments that discuss fetching documents for image scripts and marking them with a tracking URL, but we can’t decipher what all the code does. According to Meta, this script helps in-app browsers honor users’ application tracking transparency settings in the event that visited websites contain the Meta Pixel.

Regardless of what this particular script does, this research raises broader privacy and security concerns. The Facebook, Instagram, and Messenger apps demonstrate that it’s possible for apps to ship with their own web browsers that inject custom JavaScript into web pages. App developers looking to collect information about their users’ behavior on the websites they visit could inject JavaScript that would do just that. A perhaps more sinister application for this technique could be a malicious application with an embedded web browser that injects code to steal login credentials or other sensitive information that users enter into web forms.

Fortunately, most in-app browsers can be avoided with an option that allows users to open web pages in the default browser. In case this option is not offered, users may want to manually copy the links and paste them into the web browser of their choice.


Source link