{"id":36848,"date":"2022-08-24T15:09:35","date_gmt":"2022-08-24T19:09:35","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=36848"},"modified":"2022-08-24T15:09:35","modified_gmt":"2022-08-24T19:09:35","slug":"see-what-javascript-commands-get-injected-through-an-in-app-browser","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/08\/24\/see-what-javascript-commands-get-injected-through-an-in-app-browser\/","title":{"rendered":"See What JavaScript Commands Get Injected Through an In-App Browser"},"content":{"rendered":"

Felix Krause<\/a> (tweet<\/a>, Hacker News<\/a>, MacRumors<\/a>):<\/p>\n

Last week I published a report<\/a> on the risks of mobile apps using in-app browsers. Some apps, like Instagram and Facebook, inject JavaScript code into third party websites that cause potential security and privacy risks to the user.<\/p>

[…]<\/p>

Introducing InAppBrowser.com<\/a>, a simple tool to list the JavaScript commands executed by the iOS app rendering the page.<\/p>

[…]<\/p>

Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.<\/p>

[…]<\/p>

While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click.<\/p><\/blockquote>\n\n

Ryan Jones<\/a>:<\/p>\n

\n

But they promise they don’t use it. 🤣<\/p>\n<\/blockquote>\n\n

Damien Petrilli<\/a>:<\/p>\n

\n

So Apple is now aware that Tiktok has a key logger in their App, and they are still in the App Store.<\/p>\n

Feeling safe yet?<\/p>\n<\/blockquote>\n\n

TikTok shouldn’t be rejected just for registering JavaScript key handlers. The takeaway is that it’s not possible for Apple to reliably detect this sort of nefarious behavior, so they shouldn’t represent that they do or use that as justification for locking into their payments system.<\/p>\n\n

Nick Heer<\/a>:<\/p>\n

\n

Is TikTok a keylogger? Is Instagram monitoring every tap on a loaded webpage? It is impossible to say, but it does not look good that either of these privacy-invasive apps are so reckless with users’ ostensibly external activity.<\/p>\n

It reminds me of when iOS 14 revealed a bunch of apps<\/a>, including TikTok, were automatically reading pasteboard data. It cannot be known for certain what happened to all of the credit card numbers, passwords, phone numbers, and private information collected by these apps.<\/p>\n<\/blockquote>\n\n

Felix Krause<\/a>:<\/p>\n

This new [WKContentWorld] system was initially built so that website operators can’t interfere with JavaScript code of browser plugins, and to make fingerprinting more difficult. As a user, you can check the source code of any browser plugin, as you are in control over the browser itself. However with in-app browsers we don’t have a reliable way to verify all the code that is executed.<\/p>\n

So when Meta or TikTok want to hide the JavaScript commands they execute on third party websites, all they’d need to do is to update their JavaScript runner[…]<\/p><\/blockquote>\n\n

Previously:<\/p>\n