As a new research on social media in-app browsers shows, there are some hidden web trackers that not even the best VPN services can prevent.
Felix Krause, a former Google engineer, reported (opens in new tab) that people who directly open webpages from their Facebook and Instagram app could be putting their personal information at risk. This is because Meta seems to inject additional lines of code on websites to better track users’ online activities.
“Even though the injected script doesn’t currently do this, running custom scripts on third party websites allows them to monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” he said.
Also, the TikTok iOS app has been found capable of “subscribing” to all keyboard inputs. This means that it can potentially monitor everything you click on your screen while using the app.
💥 New Post: Instagram & Facebook tracks everything you do on any website in their in-app browserhttps://t.co/dj5CMJUwHc pic.twitter.com/LvWXGa34N2August 10, 2022
Both Meta and TikTok quickly replied to such allegations.
Despite not revealing the practice to its users in advance, Meta said that the script injected helps Meta respect the user’s ATT [App Tracking Transparency] opt out choice.
“The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels,” a Meta spokesperson explained to The Guardian (opens in new tab).
As it has the potential to allow the manipulation of websites or other web applications, it is generally used by hackers or other malicious actors to send cyberattacks. Similarly to malware injection, these attacks aim to collect users’ sensitive data.
As Krause explains in his blog posts, this practice allows both Meta and TikTok to track users’ activities after they leave the social media app: from the page they visit, to what they type on the devices’ keyboard and screenshot they take.
What’s certain is that Meta, for example, experienced a record drop in daily users and a 26% fall in the company share price (opens in new tab) this year. The latter came after Apple introduced a stricter policy against cross-host tracking. This means that app developers now need to ask permission to track users across apps.
Krause also pointed out that Safari, Google Chrome and Firefox have all been revamping their third party cookies policies lately.
How to protect yourself against in-app browsers tracking
Whether or not social media developers use in-app browser links to enhance their control on users, there are a few ways to simply avoid the practice.
1. Open the URL directly on the browser
2. Use the web version of the social media app
As social networks also have a web-version of their apps, you could consider using this instead of the mobile application to escape any danger of in-app browser pages.
3. Verify which type of information your apps retain about you
If you are worried about your general online privacy, you can also use additional security software to protect your sensitive information.
You can replace your data-hungry Google Chrome with one of the most secure browsers, for example. You should also consider securing your overall online anonymity with a secure VPN service.
One the best cheap VPN services around, Surfshark, even offers a full security bundle including four cybersecurity tools with just one subscription. Surfshark One comes with its own VPN, a data leak detection system, a private search engine and antivirus software.