What is In-App Browser?
Nowadays, Most applications do have In-App Browsers in them to maintain user engagement. Retaining a user and making him stay inside our APP as much as possible without fading away is important. This helps in boosting engagement metrics and makes it easy for users. With the ease of security also comes related to misuse of the feature.
When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click.“
Every text input made on external websites that are presented inside the TikTok app is subscribed to by the TikTok iOS app. Passwords, credit card numbers, and other private user information may be included. Although, we are unable to know how TikTok utilizes this subscription from a technological standpoint this is very similar to keylogging third-party websites. The app also listens for touch on every link, button, and image on the visited website.
TikTok accepted the existence of code and stated its views on it as
There are data privacy & integrity issues when you use in-app browsers to visit non-first-party websites, such as how TikTok show all external websites inside their app for tracking purpose. The feature itself is not bad but the implementation is not acceptable.
Researchers also found Instagram and Meta are also doing the same as TikTok is doing. Every click on a button, link, picture, or another element on other websites that are presented inside the Instagram app is monitored by the Instagram iOS app. Instagram is only able to read and watch your online activities when you open a link or ad from within their apps.
Running custom scripts on third-party websites enables them to keep an eye on all user interactions, including every button and link clicked, text choices, screenshots, and any form inputs, including passwords, addresses, and credit card numbers, however, the injected script does not currently do this.
How can we be safe?
- Use the Open in Browser feature to visit websites for suspected or not trusted applications.
- If open in the browser is not available copy the URL and paste it into the browser.
- Third- the app should provide the feature of opening links in the default browser of a device.
Good read 😱