Friday, August 12, 2022

Meta Apps Inject Tracking Code

Felix Krause (Hacker News):

Meta injects tracking code into all websites displayed inside their app without the user’s consent, nor the website operator’s permission

This is done by the iOS and Android apps of Instagram, Facebook and FB Messenger

This introduces a range of big security and privacy implications for the end-user, with Instagram being able to steal usernames, passwords and addresses, as well as monitoring screenshots you take, hiding website encryption status from the user and more

[…]

Apple has built “App-Bound Domains”, which could help avoid this kind of platform abuse, however it’s not mandatory yet.

Unfortunately, even the iOS Lockdown Mode doesn’t prevent Instagram fetching user data from third party websites.

Here’s the post.

Kate Cheney:

Once the WKAppBoundDomains key is added to the Info.plist, all WKWebView instances in the application default to a mode where JavaScript injection, custom style sheets, cookie manipulation, and message handler use is denied. To gain back access to these APIs, a WKWebView can set the limitsNavigationsToAppBoundDomains flag in their WKWebView configuration[…]

Previously:

5 Comments RSS · Twitter

I take it Apple could enforce WKAppBoundDomains in a future update, have Facebook insert up to ten of its own domains, and then anything else would no longer be affected?

But also: why not let web site owners do the opposite, where they can opt out of this manipulation?

Does the webviee respect a CSP header ?

I think this might be the poster child for ‘why do we not trust third party browser engines on iOS and iPadOS,’ though laughably Meta managed to do it using Apple’s own. The thought of what else Meta would be doing if they had complete control is pretty terrifying…

I can totally picture an ocean of malicious copycat browsers “Chrōme: Perfect Privacy & Protection” flooding iOS with all sorts of hidden features enabled. If you can’t trust one of the largest and most powerful corporations to do the right thing, who can you trust?

It also illustrates how impossible it is to catch everything, evil people will always be thinking of new ways around the limits and rules.

Yes, this illustrates that Apple can't be trusted to weed out all malicious actions taken by various actors. On android there are a number of privacy focused browsers with inbuilt ad-blockers (Brave, Opera, Tor are three that spring to mind), on iOS it's Apples best effort and that's where it ends.

>On android there are a number of privacy focused browsers with inbuilt ad-blockers (Brave, Opera, Tor are three that spring to mind), on iOS it's Apples best effort and that's where it ends.

I don't follow. Brave exists on iOS. It doesn't use Blink there, but I don't see how that's relevant to privacy.

Leave a Comment