) 
renew: A week later, I published a new post investigating other apps including TikTok, where I also discovered an additional Instagram’s JavaScript event listener that monitors the All clicks on third-party websites.
View here
iOS Instagram and Facebook app using custom in-app browsing The browser renders all third-party links and advertisements within its app. This presents all kinds of risks to the user, with the host application being able to track every interaction with an external website, from all form inputs like passwords and addresses to every click.
![An iPhone screenshot, showing a website, rendering what commands got executed by the Instagram app in their in-app browser: Detected JavaScript Events: 1. document. addEventListener ('selectionchange' 2. function () { window.webkit.messageHandlers.fb getSelecti onScriptMessageHandler.postMessage(getSelec tedText)): 3. } 4. document. getElementById('iab-pcm-sdk') 5. document.createElement ('script') 6. FakeScriptobj.src 'https://connect.facebook.net/en US/pcm.is' 7. document. getElementsByTagName ('script') 8. TagObjectArr[0] 9. TagObjectArr[x].parentNode 10. TagobjectArr[x].parentNode.insertBefore 11. document.getElementsByTagName('iframe')](https://krausefx.com/assets/posts/injecting-code/instagram_framed.png)
Notes:
Instagram apps inject their JavaScript code into every website the site has, including when ads are clicked. Although injected scripts don’t currently do this, running custom scripts on third-party websites allows them to monitor all user interactions such as every button and link clicked, text selections, screenshots, and any form inputs such as passwords, addresses and credit card number. Why is this important?
Apple actively opposes cross-host tracking:
Since iOS 14.5 apps Tracking Transparency puts the user in control: the app needs to get the user’s permission before it can Track their data across apps owned by other companies.
Safari has blocked third-party default cookies
- Since iOS 14.5 apps Tracking Transparency puts the user in control: the app needs to get the user’s permission before it can Track their data across apps owned by other companies.
Safari has blocked third-party default cookies
Google Chrome is about to phase out third-party cookies
,
Meta
Announce:
Apple’s Simple iPhone Alert Costs Facebook $10 Billion a Year
Facebook complains that Apple’s App Tracking Transparency benefits companies like Google because App Tracking Transparency “removes the browser from Apple’s request for tracking prompts for apps.”
Websites you visit on iOS will not trigger tracking alerts because of built-in anti-tracking features.
– Daring Fireball and MacWorld
With 1 billion active Instagram users, the amount of data Instagram can collect by injecting tracking codes into every third-party website opened from the Instagram and Facebook apps is staggering.
As web browsers and iOS add more and more privacy controls to users In hand, it becomes clear why Instagram is interested in monitoring all web traffic to external websites.
Facebook bombarded its users with messages asking them to re-enable tracking. It threatened to file an antitrust lawsuit against Apple. It has small businesses defending user tracking, claiming that it is a form of small business growth when a large corporation monitors billions of people.
– EFF – Facebook says Apple is too powerful. They are right.
2022-08-11 Added note: Meta follows ATT( App Tracking Transparency) rules (added as a note at the bottom of the article). I explained the above to provide some background on why it is important to get data from 3rd party websites/apps. The information in this article is about how the iOS Instagram app uses its in-app browser to actively inject and execute JavaScript code on third-party websites. This article does not talk about the legal side of things, but about the technical implementation of what is happening, and what is possible on a technical level.
FAQs for non-technical readers
Can Instagram/Facebook read everything I do online?
Do not! Instagram can only read and watch your online activity when you open a link or ad from within the Instagram app. Facebook True Will my password, address and credit card number be stolen?
Do not! I don’t have the exact data that Instagram is tracking, but would like to show what type of data they are Can without your knowledge. As has been shown in the past, if a company can legally and freely access data without asking users for permission, they will track it. How to protect yourself?
For full details, scroll down to the end of the article. Summary: Whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dot in the corner to open the page in Safari.
Did Instagram do this on purpose?
I can’t say how these decisions were made internally. All I can say is that building your own in-app browser takes a lot of time to program and maintain, rather than just using the privacy and user-friendly alternatives that have been built into the iPhone for the past 7 years.
What to inject?
The external JavaScript file injected by the Instagram application is (connect. facebook.net/en_US/pcm.js), which is the code used to build the bridge to communicate with the host application. Based on the information Meta provided to me in response to this publication, it helps to aggregate events, ie online purchases, which are then used for targeted advertising and measurement on the Facebook platform. Disclaimer
I do not have an exact list of data that Instagram sends back to the country. I do have evidence that the Instagram and Facebook apps actively run JavaScript commands to inject additional JavaScript SDKs without the user’s consent, and track the user’s text selection. If Instagram has done this, they can also inject any other JavaScript code. The Instagram app itself is well protected against man-in-the-middle attacks and can only be removed by modifying the Android binary to remove certificate pinning and run it in an emulator.
The overall goal of this project is not to get a list of the data sent back, but to highlight the privacy and security concerns raised by the use of in-apps Program Browser, and proving that apps like Instagram are already exploiting this vulnerability .
in conclusion Risks and disadvantages of having an in-app browser:
Privacy & Analytics: The host application can literally track everything that happens on the website, every click, input, scrolling behavior, content copied and pasted, and data displayed like online shopping Stealing user credentials, physical Address , API key, etc. Advertising and Referral: The host app can inject ads into the website, or replace the ad API key to steal revenue from the host app, or replace all URLs to include your referral code (this happens forward)
Safety: Browsers have spent years optimizing the web’s security UX, such as showing HTTPs encryption status, warning users about sketchy or incomplete Encrypted websites, etc. Injecting additional JavaScript code into 3rd party websites may cause problems and glitches, may break the website user’s browser extensions and content blockers are unavailable
In most cases, deep linking does not work good
via other platforms (e.g. via email, airdrop, etc.)
Instagram’s in-app browser supports auto-filling of your address and payment information. However, this has no valid reason to exist in the first place, all of which is already built into the operating system or the web browser itself.
WhatsApp opens iOS Safari by default, so there is no problem. How does this work
As far as I know, there is no good way to monitor all JavaScript commands executed by the host iOS app (would love to hear if there is better method).
I created a new plain HTML file with some JS code to cover some document. method:
document
.
getElementById
=
(
One,
b
)
{
append command
(
‘
document.getElementById(“‘
+
One
‘”)
‘
)
originalGetElementById
.Application
(
,
parameter
);
}
Opening this HTML file from the iOS Instagram app yields The following result:
Compare this to what happens when you use a normal browser, or Telegram in this case, it Use the recommended
SFSafariViewController:
as you can see, a normal browser, or SFSafariViewController does not run any JS code.
technical details
Instagram has added a new event listener to get details about every time the user selects any text on the site. This, combined with listening to screenshots, gives Instagram the full picture of what specific information was selected and shared
Instagram app checks if there is an element with ID
iab-pcm-sdk: According to this tweet,
iab may mean “in the application browser”.
if no ID is iab-pcm-sdk is discovered, Instagram creates a new script
script element, Set its source to https://connect.facebook. net/en_US/pcm.js
script element before your website to insert the pcm JavaScript file Instagram also query iframe on your website, but I can't find any indication what they are doing with it 
How can I protect myself as a user?
escape-app-webview
Most in-app browsers have a way to open the currently rendered website in Safari. Once you land on that screen, just use that option to escape it. If this button is not available, you must copy and paste the URL to open the link in the browser of your choice.
use the web version
Most social networks, including Instagram and Facebook, offer decent mobile web versions with similar feature sets. you can use ithttps://instagram.com has no problem in iOS Safari. How can I protect myself as a website provider?
Until Instagram fixes this (if any) , you can easily trick the Instagram and Facebook apps into believing that the tracking code is installed. Just add the following to your HTML code:
Also, to prevent Instagram from tracking users' text selections on your site :
const
originalEventListener
=
Document
.
addEventListener
Document
.
addEventListener
=
Function
const
originalEventListener
=
Document
.
addEventListener
Document
.
addEventListener
=
Function
=
Document
.
addEventListener
Document
.
addEventListener
=
Function
.
addEventListener
Document
.
addEventListener
=
Function
addEventListener
Document
.
addEventListener
=
Function
Document
.
addEventListener
=
Function
addEventListener
=
Function
=
Function
Function
(One
,
b
)
{
if (
b
.
toString
().index
(
"
messageHandlers.fb_getSelection
"
)
>
-
1
)
{
return
)
{
if (
b
.
toString
().index
(
"
messageHandlers.fb_getSelection
"
)
>
-
1
)
{
return
{
if (
b
.
toString
().index
(
"
messageHandlers.fb_getSelection
"
)
>
-
1
)
{
return
if (
b
.
toString
().index
.
toString
().index
().index
(
"
messageHandlers.fb_getSelection
"
)
>
-
messageHandlers.fb_getSelection
"
)
>
-
"
)
>
-
)
>
-
>
-
-
1
)
{
return
{
return
return
Invalid
;
} return
original event listener
.
Application(this, parameter);
}
This doesn't solve the actual problem with Instagr I'm running the javascript code against your site, but at least no extra JS script is injected and less data is tracked.
It is also easy for the app to detect if the current browser is an Instagram/Facebook app by checking the user agent , but I can't find a good way to automatically pop up the in-app browser instead to open Safari. If you know a solution, I'd love to know.
2022-08-11 Update: In response to this post, A Derian made a post on this exact topic.
Suggest apple
Apple has done a fantastic job of building the platform with users' privacy in mind. One of the 4 Privacy Principles:
User Transparency and Control:
to ensure that users know what data is being shared and how it is used, and that they have control over it.
– Apple Privacy PDF
(April 2021)
while writing At the time of this writing, there are no AppStore censorship rules that prohibit companies from building their own in-app browsers to track users, read their input, and inject additional ads to third-party websites. However, Apple explicitly recommends using
SFSafariViewController: Avoid using web views to build web browsers. It's OK to use a web view to let people briefly visit a website without leaving the context of the application, but Safari is the primary way people browse the web. Attempting to replicate the functionality of Safari in your application is unnecessary and discouraged.
– Apple Human Interface Guidelines (June 2022)
If your app allows users to view websites from anywhere on the Internet, use
SFSafariViewController class. If your app customizes, interacts with, or controls the display of web content, use WKWebView class.
– Apple SFSafariViewController documentation ( June 2022)
introduce Application Binding Domain
App-Bound Domains is a Great new features
} return
original event listener
.
Application(this, parameter);
}
This doesn't solve the actual problem with Instagr I'm running the javascript code against your site, but at least no extra JS script is injected and less data is tracked.
It is also easy for the app to detect if the current browser is an Instagram/Facebook app by checking the user agent , but I can't find a good way to automatically pop up the in-app browser instead to open Safari. If you know a solution, I'd love to know.
2022-08-11 Update: In response to this post, A Derian made a post on this exact topic.
Suggest apple
Apple has done a fantastic job of building the platform with users' privacy in mind. One of the 4 Privacy Principles:
User Transparency and Control:
to ensure that users know what data is being shared and how it is used, and that they have control over it.
– Apple Privacy PDF
(April 2021)
while writing At the time of this writing, there are no AppStore censorship rules that prohibit companies from building their own in-app browsers to track users, read their input, and inject additional ads to third-party websites. However, Apple explicitly recommends using
SFSafariViewController: Avoid using web views to build web browsers. It's OK to use a web view to let people briefly visit a website without leaving the context of the application, but Safari is the primary way people browse the web. Attempting to replicate the functionality of Safari in your application is unnecessary and discouraged.
– Apple Human Interface Guidelines (June 2022)
If your app allows users to view websites from anywhere on the Internet, use
SFSafariViewController class. If your app customizes, interacts with, or controls the display of web content, use WKWebView class.
– Apple SFSafariViewController documentation ( June 2022)
introduce Application Binding Domain
App-Bound Domains is a Great new features
.
Application(this, parameter);
}
This doesn't solve the actual problem with Instagr I'm running the javascript code against your site, but at least no extra JS script is injected and less data is tracked.
It is also easy for the app to detect if the current browser is an Instagram/Facebook app by checking the user agent , but I can't find a good way to automatically pop up the in-app browser instead to open Safari. If you know a solution, I'd love to know.
2022-08-11 Update: In response to this post, A Derian made a post on this exact topic.
Suggest apple
Apple has done a fantastic job of building the platform with users' privacy in mind. One of the 4 Privacy Principles:
User Transparency and Control:
to ensure that users know what data is being shared and how it is used, and that they have control over it.
– Apple Privacy PDF
(April 2021)
while writing At the time of this writing, there are no AppStore censorship rules that prohibit companies from building their own in-app browsers to track users, read their input, and inject additional ads to third-party websites. However, Apple explicitly recommends using
SFSafariViewController: Avoid using web views to build web browsers. It's OK to use a web view to let people briefly visit a website without leaving the context of the application, but Safari is the primary way people browse the web. Attempting to replicate the functionality of Safari in your application is unnecessary and discouraged.
– Apple Human Interface Guidelines (June 2022)
If your app allows users to view websites from anywhere on the Internet, use
SFSafariViewController class. If your app customizes, interacts with, or controls the display of web content, use WKWebView class.
– Apple SFSafariViewController documentation ( June 2022)
introduce Application Binding Domain
App-Bound Domains is a Great new features
Application(this, parameter);
}
This doesn't solve the actual problem with Instagr I'm running the javascript code against your site, but at least no extra JS script is injected and less data is tracked.
It is also easy for the app to detect if the current browser is an Instagram/Facebook app by checking the user agent , but I can't find a good way to automatically pop up the in-app browser instead to open Safari. If you know a solution, I'd love to know.
2022-08-11 Update: In response to this post, A Derian made a post on this exact topic.
Suggest apple
Apple has done a fantastic job of building the platform with users' privacy in mind. One of the 4 Privacy Principles:
User Transparency and Control:
- to ensure that users know what data is being shared and how it is used, and that they have control over it.
– Apple Privacy PDF
(April 2021)
while writing At the time of this writing, there are no AppStore censorship rules that prohibit companies from building their own in-app browsers to track users, read their input, and inject additional ads to third-party websites. However, Apple explicitly recommends using
SFSafariViewControllerAvoid using web views to build web browsers. It's OK to use a web view to let people briefly visit a website without leaving the context of the application, but Safari is the primary way people browse the web. Attempting to replicate the functionality of Safari in your application is unnecessary and discouraged.
– Apple Human Interface Guidelines (June 2022)
If your app allows users to view websites from anywhere on the Internet, use
SFSafariViewController class. If your app customizes, interacts with, or controls the display of web content, use
WKWebView
class.
– Apple SFSafariViewController documentation ( June 2022)
introduce
Application Binding Domain
App-Bound Domains is a Great new features
WebKit
feature allows developers to provide more security when using The in-app browsing experience WKWebView. As an application developer, you can define which domains your application can access, and all web requests will be restricted to those domains. To disable protection, the user must explicitly disable it in the iOS Settings app.
App- Bound Domains went live with iOS 14 (about 1.5 years ago), but it's only for developers is an opt-in option, which means the vast majority of iOS apps don't use this feature.
If the developer of SocialApp want a better user privacy experience They have two paths forward:
Using SafariViewController replace WKWebView for in-app browsing. SafariViewController
Protects user data from SocialApp by loading pages outside of SocialApp's process space. SocialApp can guarantee the best user privacy experience for its users when using SafariViewController. Select Join Application Binding Domain. Additional
WKWebView Restrictions from app-bound domains ensure that SocialApp cannot use the above API to track users.
App- Bound Domains went live with iOS 14 (about 1.5 years ago), but it's only for developers is an opt-in option, which means the vast majority of iOS apps don't use this feature.
WKWebView for in-app browsing. SafariViewController
Protects user data from SocialApp by loading pages outside of SocialApp's process space. SocialApp can guarantee the best user privacy experience for its users when using SafariViewController.Select Join Application Binding Domain. Additional
WKWebView Restrictions from app-bound domains ensure that SocialApp cannot use the above API to track users.
I highlighted “want a better user privacy experience” section, because this is the missing section: App-Bound Domains Should be a requirement for all iOS apps, since social media apps are apps that inject tracking code.
In July 2022, Apple introduced Lockdown Mode to better protect at-risk people. Unfortunately, iOS lock mode doesn’t change the way in-app webviews work. I’ve submitted a radar to Apple: rdar://10735684, to which Apple responded “This is not what lock mode is for”
Apple Now Some steps taken to get:
Update App Review Rules to require the use of
SFSafariViewController
or when the application bound domain displays any third-party website.
- requesting additional entitlements to ensure it is a valid use case
There are additional permissions for user confirmation
1st party site/content is still available
WKWebView
classes as they are typically used for UI elements, or applications that actually modify their first-party content (eg automatically closing your own cookie banner)
I also submitted a radar to Apple ( rdar://38109139) as part of my past blog posts. for meta
What Meta already does on WhatsApp: Stop modifying 3rd parties website, using Safari or SFSafariViewController applies to all third-party websites. This is what is best for the user and the right thing to do.
I have disclosed this issue to Meta through their bug bounty program and within a few hours they Confirmed that they were able to reproduce the "problem", but I haven't heard anything else in the past 9 weeks, other than asking me to wait longer until they finish reporting. Since there was no response to my follow-up questions and they didn't stop injecting tracking code to external sites, I decided to make this information public (after giving them another 2 weeks reminder) 2022-08-11 update (information provided by Meta)
After posting, Meta has sent two emails, Explain what happened to them. I processed their comments and the following changed: The injected script is not the Meta Pixel, but the pcm.js script, which according to Meta helps to aggregate events, i.e. online purchases, which are then used for targeted advertising and measurement on the Facebook platform
I sent some follow-up questions to Meta - when I get a response, I'll update the post accordingly, And announced the change on Twitter.
In the meantime, everything posted in this post is correct: the Instagram app is executing And injecting JavaScript code into third-party websites to render in their in-app browsers creates a lot of risk for users. Also, there is no way to opt out of custom in-app browsers.
Just like Meta give me more background and details, I updated the post to reflect this . You can find the full history of the post here, and which parts have been edited. Updated 2022-08-14 (Information provided by Meta)
The main question I ask: If Meta builds a complete system to inject JavaScript code (
pcm.js) Going to a 3rd party site to respect people’s App Tracking Transparency (ATT) choice, why doesn’t Instagram just open the user’s default browser All external links in ? This will give users full control over their privacy settings and will not require any engineering work on the Meta side.
To this, the answer is:
As mentioned, pcm.js The user’s ATT decision must be respected. Scripts need to be injected to verify the origin and integrity of received data (i.e. pixel traffic is valid). Authentication will include checking that when data is received from the in-app browser via the WebView-iOS native bridge, it contains a valid nonce from the injected script. SFSafariViewController doesn’t support this. Other components in the In App Browser provide security and user functionality that SFSafariViewController also does not support.
While this answer provides some context, I don’t think it answers my question. Other apps, including Meta’s own WhatsApp, work flawlessly without using a custom in-app browser.
My Meta ticket was marked as resolved ” Given that your submission was intentional, and Not a privacy issue” .
My second question is about tracking user text selection, According to Meta, this is some old code that is no longer used:
In older versions of iOS, this code was useful for allowing the user to share the selected text to their news feed is required. Since newer versions of iOS have built-in functionality for text selection, this functionality has been deprecated for some time and has been determined to be removed as part of our standard code maintenance. There is no code in our in-app browser to share text selection information from a website without the user taking action to share it themselves through features such as quote sharing.
Check out my other privacy and security related publications.
