by Jason Snell
In-app browsers that act as keyloggers
Developer and privacy researcher Felix Krause has dropped a couple of bombshells recently regarding apps that use their own built-in browsers:
Last week I published a report on the risks of mobile apps using in-app browsers. Some apps, like Instagram and Facebook, inject JavaScript code into third party websites that cause potential security and privacy risks to the user.
After reading through the replies and DMs, I saw a common question across the community: “How can I verify what apps do in their webviews?”
Introducing InAppBrowser.com, a simple tool to list the JavaScript commands executed by the iOS app rendering the page.
Krause’s tool lets anyone investigate what might be leaking through in-app browsers. Apps that use Apple’s SafariViewController are all pretty safe, but apps like TikTok, Instagram, Facebook Messenger, and Facebook are using their own in-app browsers that modify pages with JavaScript.
TikTok, in particular, is monitoring all keyboard inputs and taps. “From a technical perspective, this is the equivalent of installing a keylogger on third party websites,” Krause writes.