Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’


Users of Apple’s Instagram and Facebook iOS apps are being warned that both use an in-app browser that allows parent company Meta to track ‘every single tap’ users make with external websites accessed via the software. Researcher Felix Krause, who outlined how [Meta tracks users in a blog posted Wednesday](<https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser>), claims that this type of tracking puts users at “various risks”. He warns both iOS versions of the apps can “track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap” via their in-app browsers. ## **Meta’s Use of a JavaScript Injection ** “The Instagram [and Facebook] app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause wrote. A PCM.JS code, according to the researcher, is an external JavaScript file injected into websites viewed within the in-app browser. The code is used by both apps and enables both apps to build a communication bridge between in-app website content and the host app. Additional technical information regarding the [PCM.JS can be found here](<https://connect.facebook.net/en_US/pcm.js>). Meta responded to Krause’s research with a statement published by [The Guardian](<https://www.theguardian.com/technology/2022/aug/11/meta-injecting-code-into-websites-visited-by-its-users-to-track-them-research-says>): “We intentionally developed this code to honour people’s [Ask to track] choices on our platforms… The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.” ## **In-App Browsers and Privacy Risks** The use of in-app browsers, whether it be Meta’s or another company’s, presents a host of privacy risks, according to Krause. For starters it could allow a company to collect browser analytics, such as taps, input, scrolling behavior and copy-and-paste data without unambiguous user consent. In-app browsers could also be used as a loophole by a firm to steal user credentials and API keys used in host services or inject ads and referrals links to siphon ad revenue from websites, the researcher noted. While citing these as examples, Krause is not accusing Meta of any of these actions. “As my understanding goes, all of [these privacy concerns] wouldn’t be necessary if Instagram were to open the phone’s default browser, instead of building & using the custom in-app browser,” he wrote. ## **FUD-busting FAQ** While Krause’s research has sparked outrage with privacy activists and he is careful to temper his research with answers to questions raised by his research. * **_Can Instagram/Facebook read everything I do online?_**_ No! Instagram is only able to read and watch your online activities when you open a link or ad from within their apps._ * **_Does Facebook actually steal my passwords, address and credit card numbers?_**_ No! I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it’s possible for a company to get access to data legally and for free, without asking the user for permission, [they will track it](<https://twitter.com/steipete/status/1025024813889478656?lang=en>)._ * **_Is Instagram doing this on purpose?_**_ I can’t say how the decisions were made internally. All I can say is that building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that’s already been built into the iPhone for the past 7 years._ Krause offers advice to privacy-minded users of the apps and suggests that, “whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dots in the corner to open the page in Safari instead.” Safari, he points out, already [blocks third party cookies by default](<https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/>). The researchers is also careful to point out that he does not have a precise list of data both apps send back to Meta. “I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JavaScript SDK without the user’s consent, as well as tracking the user’s text selections,” he wrote. ## **Apple’s 11-Word Response** In July, Apple upped its privacy game and announced a feature called [Lockdown Mode](<https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/>) that is said offered as “an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.” The researcher [filed what is called an Open Radar Community Bug Report with Apple](<https://openradar.appspot.com/radar?id=5500665535135744>) last month claiming “iOS Lockdown Mode allows custom in-app webviews, host apps can steal information.” Apple responded within a comment to the report simply stating “Thanks for your report. This isn’t what Lockdown Mode is for.” Meta responded directly to Krause’s report stating the PCM.JS JavaScript is used to “helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.” Meta explained to Krause that it respects Apple’s App Tracking Transparency (ATT) rule, which requires app developers to get permission before tracking. The researcher notes that opting out of Meta’s in-app browser tracking is dependent on a third-party website’s use of what is called a Meta Pixel. A Meta Pixel is a “a snippet of JavaScript code that allows you to track visitor activity on your website,” according to a [Meta developer description](<https://developers.facebook.com/docs/meta-pixel/>). The researcher acknowledges that Meta is following ATT rules. “According to Meta, the script injected (pcm.js) helps Meta respect the user’s ATT opt out choice, which is only relevant if the rendered website has the Meta Pixel installed,” Krause wrote.