The in-app browsers of Facebook and Instagram can be used to track users.

Clicks, screenshots, and password form inputs can all be tracked by tracking code.

You’ve probably noticed that when you visit a website that appears on Facebook and Instagram, a custom in-app browser is used rather than your default web browser. According to researcher Felix Krause, those browsers appear to insert javascript code into each website you visit, potentially enabling parent Meta to monitor you between websites.

In a blog post, Krause explained that the Instagram app “injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.”

His investigation concentrated on Facebook and Instagram for iOS. This is significant because, starting with iOS 14.5, Apple introduced App Monitoring Transparency (ATT), which enables users to choose whether or not to enable app tracks when they first open an app. The feature, according to Meta, “will be a headwind on our business in 2022… in the order of $10 billion.”

According to Meta, the injected tracking code complied with ATT user choices. A spokeswoman told The Guardian, “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes.” “No pixels are added by us. Injecting code enables us to gather conversion events from pixels. We ask for the user’s permission before storing payment information for autofill when making purchases through the in-app browser.”

Krause pointed out that Facebook may not always be employing the javascript injection to gather private information. However, it would be impossible to perform a similar javascript injection on any secure site if the apps launched the user’s favorite browser, such as Safari or Firefox. The strategy employed by Instagram and Facebook’s in-app browsers, in contrast, “works for any website, regardless of whether it’s encrypted or not,” he said.

Krause’s research indicates that WhatsApp doesn’t alter third-party websites in the same manner. As a result, he advises Meta to open URLs on Safari or another browser instead of doing the same for Facebook and Instagram. It is both the correct thing to do and what is best for the user. Check out the summary of his findings here for more information.