In the world of mobile applications, in-app browsers are often considered a convenient yet inferior alternative to full-featured web browsers. While they offer a seamless way to access external links within apps, they also pose a significant privacy and security risk. This risk comes in the form of data trackers that some apps employ within their in-app browsers using a technique known as Javascript injection. This insidious method involves adding extra code to a webpage as it loads, enabling these trackers to gather sensitive information, including browsing history, login credentials, and even keystrokes.
While not all instances of Javascript injection are malicious, the potential security threat they pose has long been challenging to detect within in-app browsers. Thankfully, a new tool named InAppBrowser, developed by security researcher Flix Krause, has emerged to help users identify apps’ built-in browsers that may use Javascript injections to track their data.
InAppBrowser: Shedding Light on Potential Privacy Risks
InAppBrowser is a web-based tool designed to inspect in-app browsers for potential security concerns related to Javascript injections. It works specifically within apps that incorporate a built-in web browser, such as popular platforms like TikTok, Instagram, or Messenger. Additionally, it can be utilized on desktop browsers to assess websites and browser extensions for Javascript injection issues.
How to Use InAppBrowser
If you have suspicions about a particular app or browser extension, you can put InAppBrowser to the test. Here’s how to use it:
On Mobile [iOS/Android]:
- Open the app you want to test and load “inappbrowser.com” within the app’s built-in web browser. You can achieve this by sending the link to yourself via message, comment, or post. Alternatively, open any web link within the app, and then visit “https://inappbrowser.com.”
On Desktop:
- To test websites and browser extensions on your desktop, open your preferred web browser and navigate to “inappbrowser.com.”
Once the website loads, InAppBrowser will analyze the in-app browser for potentially suspicious Javascript behaviors and provide detailed explanations of the intercepted code’s potential uses.
Limitations and Considerations
While InAppBrowser serves as a valuable tool for detecting the presence of Javascript injection, it’s essential to understand its limitations:
- Alerts, Not Conclusive Findings: InAppBrowser can only alert users to the existence of Javascript injection and cannot definitively determine whether an app or browser extension is malicious. It may flag apps and extensions that use Javascript injection for legitimate purposes or apps that don’t track user data at all.
- Incomplete Tracking Picture: InAppBrowser solely focuses on Javascript injection and may not detect other tracking methods used by apps, browsers, or websites. Therefore, an app may pass InAppBrowser’s test but still collect user data through alternative means.
- Use it as a Tool, Not the Sole Decision-Maker: It’s crucial to avoid jumping to conclusions solely based on InAppBrowser’s results. Instead, consider it a tool to help you make informed decisions about app usage and privacy.
Mitigating Privacy Risks
If you discover that an app may be tracking your data and wish to prevent it, you have a couple of options:
- Uninstall the App: Removing the app from your device is the most effective way to stop it from tracking you. If it’s not on your phone, it can’t track your data.
- Adjust Browser Settings: Within the app’s settings, see if you can change the default browser to your preferred choice, such as Safari, Firefox, or Chrome. Safari, in particular, offers robust privacy features that can block many of the Javascript behaviors flagged by InAppBrowser.
- Disable App Tracking: In your device’s settings (iOS or Android), you can disable app tracking and location tracking. While this is particularly effective for iOS users, it can also hinder ad tracking on Android devices. We recommend adjusting these settings regardless of the results of InAppBrowser’s inspection.
In conclusion, InAppBrowser is a valuable tool for shedding light on potential privacy and security concerns within in-app browsers. However, users should interpret its findings judiciously and complement its use with additional privacy safeguards. By staying informed and taking proactive steps, users can better protect their data and make informed choices about the apps they use.