JavaScript Injections Enable Social Platforms To Track User Activity On Apple iOS In-App Browsers

An article written by Andrew Kim | @andrewkimARK

 

Last month, software developer Felix Krause seemingly exposed the existence of JavaScript commands within in-app browsers in Facebook’s, Instagram’s, and TikTok’s Apple iOS apps. Each app developer’s JavaScript file injects code when a user clicks on a link or an ad, forcing her to third-party websites through the in-app browser instead of the user’s default browser. As Krause noted, if he is on to something, app developers can use their in-app browsers to monitor user activity on third-party websites without consent. Although the App Store’s review policies do not prohibit in-app browsers from tracking user activity across third-party websites, the injection of these specific JavaScript commands to in-app browsers seems to conflict with Apple’s recent brand campaigns and its focus on user privacy, likely epitomized by Apple’s App Tracking Transparency (ATT) framework with the release of iOS 14.5 in April 2021.

Again, if Krause is correct, Meta and TikTok could monitor all user activity occurring within their in-app browsers, including interactions on third-party websites with user interface (UI) elements such as search fields and text boxes. While Meta does not force its users to rely on specific in-app browsers, TikTok obscures address bars completely and does not permit users to reopen links in their chosen browsers. According to Krause, the JavaScript code enables TikTok to monitor all keyboard inputs, including user payment and other personal information in third-party in-app browsers.

While Meta and TikTok use in-app browsers to help measure advertising efficacy in a post-ATT setting, Apple could respond to potentially malicious activity and privacy risks by restricting app developer usage of WKWebView, a more customizable and flexible application programming interface (API) than the Apple-recommended SFSafariViewController. Apple is unlikely to ban the use of in-app browsers altogether, but it could restrict WKWebView-based browsers, limiting the amount of traffic going to third-party websites and, as a result, any incremental ability of social platforms to measure the impact of their ads.