Facebook on iOS is Even More Intrusive than Usual

Jamie Kavanagh
Jamie Kavanagh
September 2nd, 2022
facebook-logo

If you’re on an iDevice and are using Facebook’s in-app browser, you’re going to want to read this. Apparently, the in-app browser provided by Facebook and Instagram tracks everything you do, on any website. That means Meta can track where you go, what you do while you’re there and every tap you make on your phone while you’re doing it.

Researcher Felix Krause, highlighted the risk of using the in-app browser. He said:

“Links to external websites are rendered inside the Instagram app, instead of using the built-in Safari.

“This allows Instagram to monitor everything happening on external websites, without the consent from the user, nor the website provider.

“The Instagram app injects their JavaScript code into every website shown, including when clicking on ads. Even though the injected script doesn’t currently do this, running custom scripts on third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.”

This goes against everything Apple is trying to do with tracking. App Tracking Transparency (ATT) instructs all apps to see user permission before tracking data across other apps.

But Facebook is doing it anyway.

Invasion of privacy with risk

Not only is this an invasion of privacy, it’s also a security risk.

Krause went on to say:

“The Instagram [and Facebook] app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.”

While Meta/Facebook/Instagram may never see or use your passwords or credit card datam, the fact that it’s tracked it’s stored means that it can be stolen.

While there are lots of technicalities as to why this ‘feature’ within the Facebook and Instagram apps doesn't compromise Apple’s ATT or privacy laws, it’s a nefarious way to act. People need to know what social networks are doing and just how much data is being surrendered when they use them.

We’re happy to play even a small part in that.

© 2023 Redact - All rights reserved