- A security researcher has demonstrated that the Facebook and Instagram apps on iOS insert custom code when opening links in their built-in browsers.
- The code bypasses Apple’s privacy protections and can also be used to track you on third-party websites.
- Other security experts suggest avoiding the use of in-app browsers and expect Apple to take steps to reverse this workaround.
New research has shown that most apps don’t use the smartphone’s default web browser to open links, potentially bypassing the operating system’s security and privacy features.
“The Instagram workaround is not surprising,” Lior Yaari, CEO and co-founder of cybersecurity startup Grip Security, told Lifewire via email. “Apple’s restrictions threaten the core of the company’s business model, so it was a matter of adapting [to] to survive.”
Hit where it hurts
Meta has openly admitted that the ATT feature costs it about $10 billion a year in ad revenue.
During his research, Krause discovered that when an iOS user of the Facebook and Instagram apps clicks on a link within these social networks, they are opened in the in-app browser.
At a minimum, users should not use in-app browsers to enter sensitive or confidential information.
“With 1 billion active Instagram users, the amount of data Instagram can collect by injecting the tracking code into every third-party website opened from the Instagram app and Facebook is a staggering amount,” wrote Krause.
The finding comes as no surprise to George Gerchow, chief security officer and senior vice president of IT at Sumo Logic.
Speaking to Lifewire via email, Gerchow said social media networks have some of the most powerful artificial intelligence and machine learning algorithms in the world, which when combined with their relentless attempt to that people stay on their platforms, becomes a real danger.
“I strongly believe that Apple was aware of this but did not want publicity,” Gerchow said, adding, “[Apple’s] Safari isn’t the safest browser either.”
let the games begin
Although Krause couldn’t examine the code to determine its true intent, it demonstrated how apps could circumvent ATT restrictions. Yaari thinks this should prompt Apple to stand up, take notice, and perhaps even implement additional restrictions to limit tracking through in-app browsers.
“This is the beginning of the cat and mouse game that the two companies will play, with major consequences for the industry,” Yaari said.
Tom Garrubba, director of third-party risk management services at Echelon Risk + Cyber, believes that Apple appears to have significantly improved its privacy image, not just in perception but in action through its coding and deployment.
“Maybe it will take a class action lawsuit, bad public relations and/or a hefty privacy breach fine to wake app developers up. [to the fact] that they need to embed ‘privacy by design’ into all aspects of code development and service delivery,” Garrubba told Lifewire via email. “I predict big tech’s inaction will lead to pending trial or heavy penalties.”
In the meantime, to protect your privacy, Krause suggests quitting the in-app browser and simply copy-pasting the URL to open it in another external browser.
“At a minimum, people shouldn’t use in-app browsers to enter sensitive or confidential information,” Yaari suggests.
However, our experts recognize that many people are unlikely to actually change their behavior, as it could make the user experience more inconvenient.
“Unfortunately, since 99.9% of humans suffer from the need for ‘instant gratification’, they will skip this step and open it directly in their default browser,” Garrubba said. “This is clearly what big tech wants, and they will most likely get the data they want.”
Please let us know!
Tell us why!
Not enough details
Difficult to understand