If you are used to using social networks like Facebook and Instagram on your mobile and you have tried to open a link, you will have verified that it does not redirect you to your browser, but to one integrated into the applications themselves.
Well, these custom browsers inject Javascript code into every site you visit through them, so Meta can track what you’ve done, where you’ve browsed, and essentially get more data than you think you’re already sharing by using your social networks.
The danger of using the integrated browser
As researcher Felix Krause discovered , in a blog post recounting his findings, “Instagram’s app injects its tracking code into every website it displays, even when ads are clicked, which allows you to monitor all user interactions, such as every button and link clicked, text selections, screenshots, as well as any form input, such as passwords, addresses, and credit card numbers « .
Specifically, he has based his research on the iOS versions of Instagram and Facebook. If you remember, the iOS 14.5 update included the App Tracking Transparency feature, which allowed you to disable tracking of applications when they are opened for the first time since the installation of said firmware version. Meta was not very in favor of this practice, quantifying the losses that they would have derived from it at around 10,000 million dollars.
Thus, they still appear to be able to do some tracking by using the built-in browser . In the case of Facebook, it’s not necessarily using JavaScript injection to collect sensitive data.
Meta wanted to defend itself and give its version of the purpose of this monitoring in The Guardian : «The code allows us to aggregate user data before using it for advertising or measurement purposes. We do not add any pixels. The code is injected so we can add pixel conversion events. For in-app browser purchases, we seek user consent to save payment information for autofill purposes .
whatsapp is released
According to Krause’s research, WhatsApp doesn’t work in a similar way, so it doesn’t modify third-party websites like Instagram and Facebook do.
In this way, Krause suggests that this is what Facebook and Instagram should apply, or simply open them with browsers such as Safari (in the example of their research on iOS) or any other browser. “It is the best for the user and the right thing to do” . Until then, better not to open links directly from these social networks and try to copy the URL and paste it in another alternative browser with less private data leaks.
If applications opened the users’ preferred browser, such as Safari or Firefox, there would be no way to perform similar JavaScript injection on any secure site. By contrast, the approach used by the Instagram and Facebook app browsers “works for any website, regardless of whether it’s encrypted or not,” Krause said.