{"id":36761,"date":"2022-08-12T16:39:10","date_gmt":"2022-08-12T20:39:10","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=36761"},"modified":"2022-08-12T16:52:48","modified_gmt":"2022-08-12T20:52:48","slug":"meta-apps-inject-tracking-code","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/08\/12\/meta-apps-inject-tracking-code\/","title":{"rendered":"Meta Apps Inject Tracking Code"},"content":{"rendered":"

Felix Krause<\/a> (Hacker News<\/a>):<\/p>\n

\n

Meta injects tracking code into all websites displayed inside their app without the user’s consent, nor the website operator’s permission<\/p>\n

This is done by the iOS and Android apps of Instagram, Facebook and FB Messenger<\/p>\n

This introduces a range of big security and privacy implications for the end-user, with Instagram being able to steal usernames, passwords and addresses, as well as monitoring screenshots you take, hiding website encryption status from the user and more<\/p>\n

[…]<\/p>\n

Apple has built “App-Bound Domains”, which could help avoid this kind of platform abuse, however it’s not mandatory yet.<\/p>\n

Unfortunately, even the iOS Lockdown Mode doesn’t prevent Instagram fetching user data from third party websites.<\/p>\n<\/blockquote>\n\n

Here’s the post<\/a>.<\/p>\n\n

Kate Cheney<\/a>:<\/p>\n

\n

Once the WKAppBoundDomains<\/code> key is added to the Info.plist, all WKWebView<\/code> instances in the application default to a mode where JavaScript injection, custom style sheets, cookie manipulation, and message handler use is denied. To gain back access to these APIs, a WKWebView<\/code> can set the limitsNavigationsToAppBoundDomains<\/code> flag in their WKWebView configuration[…]<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n