Tool reveals peep through in-app browsers
We've known for years that browsers in apps are unsafe. We even wrote an article about it in 2014. Developer Felix Krause brought it to light and has now created a tool that allows you to check the JavaScript commands executed via the in-app browser. In recent days, the danger of in-app browsers has been prominent in the news, because Facebook and Instagram can follow exactly what you do via their own browsers. But TikTok is also guilty of this. They can track all keystrokes and touches on the screen through the in-app browser. TikTok doesn't even allow you to open a link in Safari and forces you to use their insecure in-app browser.
The tool that Felix Krause has now developed is called InAppBrowser and can be installed by anyone. You can check if the web browser in an app is using JavaScript code to track people. In-app browsers can be found in all kinds of apps. If you tap on a link within such an app, you will not be forwarded to Safari, but you will see your own browser. Such browsers are based on Safari's WebKit, but also offer the possibility to use proprietary JavaScript code and developers do so. Especially with companies with a dubious reputation like Meta and TikGok, it happens on a large scale: the developer can monitor every tap on the screen, all keyboard input and other actions. With that data, a better profile can be built of the person. This is often used for commercials.
How InAppBrowser works
Krause's tool cannot recognize all JavaScript commands, but it does give an impression of whether an app is very active in collecting data. Here's how it works:
- Open any app, for example Instagram or TikTok.
- Share the following URL within the app, for example by sending it to a friend in a DM : https://InAppBrowser.com
- Tap the link in the app to open. You will now see the JavaScript commands used.
Krause tested the tool with some popular apps and found that in addition to text entered and screen taps, Instagram can also see if you've selected text on a website. Good to know: JavaScript is not always used for malicious purposes. So read the more extensive story on the Krause website if you want to know more.
By the way, almost all apps offer the option to open a normal app, such as Safari or Chrome. At TikTok it's – as stated before – not possible and thus this app gets the worst rating. Snapchat, on the other hand, does it very nicely.
See also 
You don't expect it: Instagram and Facebook can track all your web activity in their own browser
It's hardly a surprise mention: Instagram and Facebook's in-app browsers appear to be able to track everything you do, even entering text such as a password. This is also the reason that these apps choose their own in-app browser, instead of using the Safari version. It is the umpteenth time that parent company Meta is trying to track users.