Track shipments

Your Facebook app can still follow you, even after you’ve been told not to

  • A security researcher has demonstrated that the Facebook and Instagram apps on iOS insert custom code when opening links in their built-in browsers.
  • The code bypasses Apple’s privacy protections and can also be used to track you on third-party websites.
  • Other security experts suggest avoiding the use of in-app browsers and expect Apple to take steps to reverse this workaround.

boonchai wedmakawand/Getty Images



New research has shown that most apps don’t use the smartphone’s default web browser to open links, potentially bypassing the operating system’s security and privacy features.


Security researcher Felix Krause showed that Meta’s Instagram and Facebook apps on iOS add JavaScript code to third-party websites when you visit them using the app’s custom built-in browser. In-app browsers allow users to visit websites without leaving their apps. The inserted code allows apps to potentially track all of your interactions with external websites, bypassing iOS’s App Tracking Transparency (ATT) feature. Apple added ATT specifically to force app developers to obtain user consent before tracking data generated by third parties.


“The Instagram workaround is not surprising,” Lior Yaari, CEO and co-founder of cybersecurity startup Grip Security, told Lifewire via email. “Apple’s restrictions threaten the core of the company’s business model, so it was a matter of adapting [to] to survive.”



Hit where it hurts

Meta has openly admitted that the ATT feature costs it about $10 billion a year in ad revenue.


During his research, Krause discovered that when an iOS user of the Facebook and Instagram apps clicks on a link within these social networks, they are opened in the in-app browser.


At a minimum, users should not use in-app browsers to enter sensitive or confidential information.

He warned that the custom JavaScript code the in-app browser injects allows both apps to potentially track every interaction with external websites, including anything you type into a text box like passwords and addresses. .


“With 1 billion active Instagram users, the amount of data Instagram can collect by injecting the tracking code into every third-party website opened from the Instagram app and Facebook is a staggering amount,” wrote Krause.


The finding comes as no surprise to George Gerchow, chief security officer and senior vice president of IT at Sumo Logic.


Speaking to Lifewire via email, Gerchow said social media networks have some of the most powerful artificial intelligence and machine learning algorithms in the world, which when combined with their relentless attempt to that people stay on their platforms, becomes a real danger.


“I strongly believe that Apple was aware of this but did not want publicity,” Gerchow said, adding, “[Apple’s] Safari isn’t the safest browser either.”


Momo Productions/Getty Images




let the games begin

Although Krause couldn’t examine the code to determine its true intent, it demonstrated how apps could circumvent ATT restrictions. Yaari thinks this should prompt Apple to stand up, take notice, and perhaps even implement additional restrictions to limit tracking through in-app browsers.


“This is the beginning of the cat and mouse game that the two companies will play, with major consequences for the industry,” Yaari said.


Tom Garrubba, director of third-party risk management services at Echelon Risk + Cyber, believes that Apple appears to have significantly improved its privacy image, not just in perception but in action through its coding and deployment.


“Maybe it will take a class action lawsuit, bad public relations and/or a hefty privacy breach fine to wake app developers up. [to the fact] that they need to embed ‘privacy by design’ into all aspects of code development and service delivery,” Garrubba told Lifewire via email. “I predict big tech’s inaction will lead to pending trial or heavy penalties.”


In the meantime, to protect your privacy, Krause suggests quitting the in-app browser and simply copy-pasting the URL to open it in another external browser.



“At a minimum, people shouldn’t use in-app browsers to enter sensitive or confidential information,” Yaari suggests.


However, our experts recognize that many people are unlikely to actually change their behavior, as it could make the user experience more inconvenient.


“Unfortunately, since 99.9% of humans suffer from the need for ‘instant gratification’, they will skip this step and open it directly in their default browser,” Garrubba said. “This is clearly what big tech wants, and they will most likely get the data they want.”