When you open links in Instagram, TikTok, and other apps, you put your personal information at risk.
In-app browsers are inferior to full-featured browsing apps, but they also pose a significant privacy and security risk. Many apps use Javascript injection, which adds extra code to a page as it loads, to sneak data trackers onto websites you visit through their in-app browser. These trackers can collect browsing history, login information, and even keystrokes and text entry.
While not always used for malicious purposes, Javascript injection is a potential security risk that was previously difficult to detect inside in-app browsers. Fortunately, security researcher Flix Krause’s new tool, InAppBrowser, checks whether an app’s built-in browser uses potentially dangerous Javascript injections to track your data.
While InAppBrowser only works in apps with a built-in web browser tool, such as TikTok, Instagram, or Messenger, it can also be used on the desktop to detect Javascript injections from browser extensions.
If you’re suspicious of an app or browser extension, try InAppBrowser to see if it’s up to no good. Here’s how it’s done:
On a mobile device [iOS/Android], launch the app you want to test and navigate to inappbrowser.com via the app’s built-in web browser. Sending the link to yourself in a message, comment, or post is a simple way to accomplish this. Alternatively, open a website link in the app (any web link will do), then navigate to https://inappbrowser.com.
On desktop: Open your preferred browser and navigate to inappbrowser.com to test websites and browser extensions.
Once the site loads, you’ll see a message detailing any potentially suspicious Javascript behaviour intercepted by InApBrowser, as well as explanations of what the code may be used for.
These readouts can assist you in detecting potentially malicious behaviour, but there are a few caveats to be aware of.
Most importantly, InAppBrowser only detects Javascript injection and cannot determine whether an app or browser extension is malicious. It even detects apps and browser extensions that use Javascript injection but do not track you. This means that private browsing extensions that block a website’s trackers, apps that collect browsing data for advertising or troubleshooting purposes (such as TikTok), and malicious apps that spy on you will all trigger the same warnings. Even Krause cautions against assuming anything if an app employs Javascript injection.
Similarly, InAppBrowser cannot warn you about other types of tracking that apps, browsers, and websites may employ. That means an app may pass InAppBrowser’s test but still collect your data through other means, so don’t rely solely on InAppBrowser to test an app’s safety. Still, knowing whether an app uses Javascript injections maliciously or not is important so you can decide whether the app is worth using.
If you discover that an app is tracking you and want to stop it, you have a few options. The best option is to uninstall the app. It cannot track you if it is not on your phone.
If you want to keep an app but limit its tracking, go to its settings and see if you can change the default browser to another app, such as Safari, Firefox, or even Chrome. Safari is an excellent choice because recent versions prevent many of the Javascript behaviours that InAppBrowser warns against.
Disable app tracking in the iOS or Android settings menus as well. This is more effective for iOS users, but it can also interfere with ad tracking on Android. Disable location tracking as well. To be honest, we recommend tinkering with these settings even if every app you use passes the Javascript inspection test.