Meta uses an in-app browser on Instagram & Facebook that allows the company to seamlessly read and track users.
Enlarge
Facebook & Instagram can track and read users via in-app browser
© Meta
When you visit various websites via Facebook, Messenger or Instagram on iPhone, a special in-app browser is used instead of the default browser you have selected. As the Vienna-based software developer Felix Krause found out, Meta can theoretically track everything you do or even read along on these websites – and that seamlessly, as Engadget also reports.
User tracking when accessing the website
For this purpose, a Javascript code is used after the page is called up, which is specially intended for user tracking.
“The Instagram app injects its tracking code into every website viewed, including when ads are clicked, and allows them to monitor all user interactions, such as all buttons and links typed, text selections, screenshots, as well as all form inputs, such as passwords, addresses and credit card numbers”,
so Krause in a blog post.
So it’s no wonder that Meta got excited when Apple introduced a feature that allows app tracking to be activated or deactivated when you open an app for the first time. Meta spoke of at the time
“Headwinds for our business in 2022 […] in the order of 10 billion dollars”.
Meta downplayed this approach to The Guardian:
“The code allows us to aggregate user data before using it for targeted advertising or measurement purposes,”
a spokesman told The Guardian.
“We don’t add pixels. Code is injected so we can aggregate conversion events from pixels. For purchases made through the in-app browser, we obtain user consent to provide payment information for autofill purposes to save.”
Krause even pointed out that Facebook does not necessarily use javascript injection to collect sensitive data. Conversely, there would be no way for Meta to do this if the app were to redirect to the user’s preferred browser, such as Safari. The injection works for any website.
Meta itself proves that there is another way: the messenger app Whatsapp does not change third-party websites, as Krause states. Therefore, the developer suggests using the same system for Instagram and Facebook, or simply opening the default browser as a redirect.
Is Android also affected?
The magazine Standard asked Krause whether Meta also uses such methods on Android. The developer replied that his research focused solely on Apple’s iOS, but Meta uses a similar approach on Android. Specifically, he found comparable behavior in the Instagram app for Google’s operating system, where Javascript code is also smuggled into all websites opened with the in-app browser.
