iOS Instagram and Facebook app render all third party links

The iOS Instagram and Facebook app render all third party links

The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.

What does Instagram do?

  • Links to external websites are rendered inside the Instagram app, instead of using the built-in Safari.
  • This allows Instagram to monitor everything happening on external websites, without the consent from the user, nor the website provider.
  • The Instagram app injects their JavaScript code into every website shown, including when clicking on ads. Even though the injected script doesn’t currently do this, running custom scripts on third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.

Why is this a big deal?

Source: https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser