What is In-App Browser?
Nowadays, Most applications do have In-App Browsers in them to maintain user engagement. Retaining a user and making him stay inside our APP as much as possible without fading away is important. This helps in boosting engagement metrics and makes it easy for users. With the ease of security also comes related to misuse of the feature.
An airline app, for instance, could not offer native seat selection functionality for all of their aircraft. They might instead decide to reuse their current web interface. The user would have to log out of the app and login in web portal in order to choose their seat if they couldn’t inject cookies or JavaScript instructions inside of their mobile app webview.
Felix Krause a privacy researcher revealed that the popular app performs JavaScript injection – the practice of adding extra code or malicious code to a webpage before it is displayed to a user. The code can be written in such a way that it can steal key press, steal personal sensitive data, or payment information. Felix stated that “When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click.“
Every text input made on external websites that are presented inside the TikTok app is subscribed to by the TikTok iOS app. Passwords, credit card numbers, and other private user information may be included. Although, we are unable to know how TikTok utilizes this subscription from a technological standpoint this is very similar to keylogging third-party websites. The app also listens for touch on every link, button, and image on the visited website.
TikTok accepted the existence of code and stated its views on it as Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience - like checking how quickly a page loads or whether it crashes.
There are data privacy & integrity issues when you use in-app browsers to visit non-first-party websites, such as how TikTok show all external websites inside their app for tracking purpose. The feature itself is not bad but the implementation is not acceptable.
Researchers also found Instagram and Meta are also doing the same as TikTok is doing. Every click on a button, link, picture, or another element on other websites that are presented inside the Instagram app is monitored by the Instagram iOS app. Instagram is only able to read and watch your online activities when you open a link or ad from within their apps.
The Instagram app injects its JavaScript code into every website shown, including when clicking on ads.
Running custom scripts on third-party websites enables them to keep an eye on all user interactions, including every button and link clicked, text choices, screenshots, and any form inputs, including passwords, addresses, and credit card numbers, however, the injected script does not currently do this.
There is no confirmation of misuse of the feature however the possibilities with the feature are mentioned here. The researcher also mentioned a website to list the JavaScript commands executed by the iOS app rendering the page.
How can we be safe?
- Use the Open in Browser feature to visit websites for suspected or not trusted applications.
- If open in the browser is not available copy the URL and paste it into the browser.
- Third- the app should provide the feature of opening links in the default browser of a device.
Good read
Good read 😱