In recent months Meta has lamented the fact that changes in privacy policies on iOS have severely dented the company’s ability to sell advertising.
While this is indeed pleasing news for users who may be concerned about big tech firms tracking their online activity, it turns out in-app browsers might circumvent Apple’s good willed intentions.
This according to a report from researcher Felix Krause, who highlights his findings regarding in-app browsers on iOS.
“The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap,” the researcher alleges.
He goes on to explain that links to external websites are rendered inside of the Instagram and Facebook apps, instead of using the built-in Safari browser. This reportedly allows the social media platforms to monitor, “everything happening on external websites, without the consent from the user, nor the website provider.”
“The Instagram app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” his research has uncovered.
According to Meta, this injection of code does not flout Apple’s App Tracking Transparency (ATT), with user preferences seemingly being adhered to.
“The code allows us to aggregate user data before using it for targeted advertising or measurement purposes,” a spokesperson told The Guardian in response to the findings by Krause.
“We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill,” they added.
While it looks like Meta is indeed working within the restrictions set out by ATT, Krause does note that this system is only employed on Facebook and Instagram, with the other Meta-owned platform WhatsApp not doing so. Why this is the case, is unclear, bit Krause is of the opinion that the WhatsApp method should apply across the board.
“It’s what’s best for the user, and the right thing to do,” he concluded.
