A few days ago, developer Felix Krause shared a detailed report on how mobile apps track user data using their own in-app web browsers. Now Krause is back with a new tool that allows anyone to see injected JavaScript commands via an in-app browser.
The platform is called InAppBrowser and any interested user can visit it to see how web browsers embedded in apps inject JavaScript code to track people.
For those unfamiliar, in-app browsers typically work when a user taps a URL within the app. In this way, the app displays web pages without redirecting the user to an external browser app such as Safari or Google Chrome.
However, although these in-app browsers are based on Safari’s WebKit on iOS, developers can modify them to run their own JavaScript code. As a result, users are more likely to be tracked without their knowledge. For example, an app can use a custom in-app browser to collect all taps on web pages, keyboard inputs, website titles, and more.
Such data can be used to create an individual’s digital fingerprint. In most cases, data collected from people on the web is used for targeted advertising. Krause points out that the platform can’t detect every JavaScript command, but it gives users more insight into the data that apps are collecting.
Using the InAppBrowser tool is very easy. First, open the app you want to analyze. Then share the URL “https://InAppBrowser.com” somewhere within the app (you can send it as a DM to your friends). Tap a link in the app to open it and get a report on JavaScript commands.
Krause also tested the tool on a few popular apps, so you don’t have to do this. You can monitor. Meanwhile, Instagram can even detect all text selections on her website.
Of course, developers also note that not all apps that inject JavaScript code into the in-app browser do so for malicious purposes. Because JavaScript is the foundation of many of his web features. For more information, see Krause’s website.
Update: TikTok’s response to Klaus’ allegations
TikTok got in touch 9to5Mac Make a statement in response to Krause’s allegations. The company said the report was “inaccurate and misleading.” This social he network, which focuses on short videos, notes that the researchers themselves say that JavaScript code is not always used for malicious purposes.
The report’s conclusions about TikTok are incorrect and misleading. The researchers specifically say that the JavaScript code does not mean the app is doing anything malicious, and acknowledge that they have no way of knowing what kind of data the in-app browser collects. increase. Contrary to what the report claims, we do not collect any keystrokes or text input through this code and it is used only for debugging, troubleshooting and performance monitoring. “
TikTok spokesperson
According to a TikTok spokesperson, some of the code the researchers used as examples is general input and is not used to collect what users type into the app or in-app browser. After all, JavaScript code is commonly used to debug, troubleshoot, and monitor performance of web pages.
A TikTok spokesperson also assured that the company respects the privacy policies presented to users and that the app only collects information that users choose to share.
FTC: I use automated affiliate links to earn income. more.
For more Apple news, watch 9to5Mac on YouTube.
