Wednesday, August 24, 2022

See What JavaScript Commands Get Injected Through an In-App Browser

Felix Krause (tweet, Hacker News, MacRumors):

Last week I published a report on the risks of mobile apps using in-app browsers. Some apps, like Instagram and Facebook, inject JavaScript code into third party websites that cause potential security and privacy risks to the user.


Introducing, a simple tool to list the JavaScript commands executed by the iOS app rendering the page.


Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.


While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click.

Ryan Jones:

But they promise they don’t use it. 🤣

Damien Petrilli:

So Apple is now aware that Tiktok has a key logger in their App, and they are still in the App Store.

Feeling safe yet?

TikTok shouldn’t be rejected just for registering JavaScript key handlers. The takeaway is that it’s not possible for Apple to reliably detect this sort of nefarious behavior, so they shouldn’t represent that they do or use that as justification for locking into their payments system.

Nick Heer:

Is TikTok a keylogger? Is Instagram monitoring every tap on a loaded webpage? It is impossible to say, but it does not look good that either of these privacy-invasive apps are so reckless with users’ ostensibly external activity.

It reminds me of when iOS 14 revealed a bunch of apps, including TikTok, were automatically reading pasteboard data. It cannot be known for certain what happened to all of the credit card numbers, passwords, phone numbers, and private information collected by these apps.

Felix Krause:

This new [WKContentWorld] system was initially built so that website operators can’t interfere with JavaScript code of browser plugins, and to make fingerprinting more difficult. As a user, you can check the source code of any browser plugin, as you are in control over the browser itself. However with in-app browsers we don’t have a reliable way to verify all the code that is executed.

So when Meta or TikTok want to hide the JavaScript commands they execute on third party websites, all they’d need to do is to update their JavaScript runner[…]


6 Comments RSS · Twitter

Most, if not all third-party apps I use regularly on my phone will open links in in-app-browsers, which is already annoying even without the spying. Apple's apps on the other hand, like notes for example, will open regular http links in Safari instead of in-app.

Are third-party apps not allowed to open links to webpages in Safari?

I don't understand why there isn't a simple systemwide setting for wether or not I'd like to open links in the app.

I don't really see the point f in-app browsers from my perspective as a user. I guess it makes it easier to get back to the app, but if I weigh that against what I lose...


It’s possible using public API. This behavior is by the developer’s choice.


The problem is the in-app browser was severely downgraded a few years after initial release. Originally, the in-app browser shared cookies with Safari, and was truly a more convenient Safari tab. This is no longer the case, and so the in-app browser is useless. This is for SFSafariViewController. Regarding custom webview “browser” view controls the likes of TikTok and Instagram have is creaky intended to suck any information it can about the user.

@Leo Good to know! Thanks for clearing this up.

I guess I'll have to make some feature requests then. This should be at least configurable in the app settings.

Seems like Google is in a constant struggle removing bad apps in Android store. I mean Apple probably does a little better but I don’t think they are perfect either. TikTok seems to have a lot of questionable history to it besides its origins in China. I get that we are huge trade partners with China, but ignoring the obvious tends to make me think we are a bit to trusting of anything coming from China.

@Leo Nice to hear that there used to be a good reason for IAB1

Leave a Comment