![in app browser on the iphone expert sees potential for tracking.jpg](https://voonze.com/wp-content/uploads/2022/08/In-app-browser-on-the-iPhone-Expert-sees-potential-for-tracking.jpg)
The company could read all traffic when users use the built-in browser in Instagram or the Facebook app instead of Safari.
An IT security specialist has drawn attention to a potential risk from so-called in-app browsers on the iPhone. Companies like Facebook parent Meta could use it to track what their users are doing on the web, warns former Google engineer Felix Krause in an analysis published on Wednesday.
Meta controls the browser
In-app browsers are browsers that come bundled with an app. For example, if you click on a link in the official Instagram or Facebook application, it will not open in the iOS standard browser (Safari or another app specified by the user), but in a WebKit derivative that is integrated directly into the app. However, Meta has full control over this – and thus a virtually unlimited tracking potential, according to Krause’s study.
The issue affects not only Meta, but every other app with an integrated browser. However, there are indications from the Facebook mother that tracking is also taking place. The Instagram documentation officially states that every website viewed is given a so-called “meta pixel”. It can potentially be recorded when an ad is clicked, a button or link is pressed, text is selected, screenshots are taken or entries are made – including potentially passwords and credit card information if you enter them.
potential for abuse
However, what exactly Meta stores here is unclear – the function initially only seems to be used to track advertising clicks and campaigns. Krause emphasized that he was not saying that Facebook was stealing passwords, addresses and credit card numbers. He cannot prove what exactly the Instagram app is tracking, but he wants to show the potential for data to become visible without the user’s knowledge. “As shown earlier, if it’s possible for a company to get free access to data without asking the user for permission, they will collect it.”
Even Apple’s in-house tracking protection ATT does not help here, since user tracking does not go beyond the respective app because the browser is part of the application. In view of the lack of precedents, it is not possible to say whether Meta is violating Apple’s requirements. Incidentally, the Facebook group puts a lot of development effort into its browser: it has to be maintained regularly. The group should have its reasons for not simply opening links in Safari.