Connect with us

Hi, what are you looking for?


InAppBrowser Reveals If TikTok, Instagram And Other Apps With Browsers Inject Their Javascript

Image Source: Felix Krause @ Twitter

Earlier this month it was revealed that popular mobile applications with integrated browsers injected custom JavaScript into visited sites. Facebook, Instagram and TikTok all use code injection techniques to virtually track anything that app users do on any website that is opened in the in-app browser.

The companies that own the offending applications benefit from this in several ways. First, because everything happens entirely behind the scenes, without most users suspecting any of that. Second, because the in-app browsers do not support content blockers or reveal privacy information when used.

Most companies use in-app browsers and code injections for tracking and monetization purposes, but some may use code to monitor all user activity, including all keystrokes.

Felix Krause created the website InAppBrowser, which is designed to reveal to the user if an in-app browser is injecting code.

Here is how it works:

  1. Open the application that you want to analyze.
  2. Use share functionality inside the application to get the link into the app. You may DM a contact or post publicly.
  3. Open the link that has just been shared or posted.
  4. Check the report that is displayed.

The website reveals if it detected JavaScript code injections and how it rates these injections. For TikTok, the website reveals the following:

  • Adds CSS code, allows app to customize appearance of website.
  • Monitors all taps happening on websites, including taps on all buttons & links.
  • Monitors all keyboard inputs on websites.
  • Gets the website title.
  • Gets information about an element based on coordinates, which can be used to track which elements the user clicks on.

Instagram, another popular application, injects JavaScript code as well. While it does not monitor keyboard inputs, it does monitor all JavaScript messages and all text selections, and injects external JavaScript code.

All detected JavaScript commands are listed as well for deeper inspection.

You can check out the blog post, which offers additional details.

Advertisement. Scroll to continue reading.

Krause notes that the site may not detect all code injections or all executed JavaScript commands. Also, it does not detect native code, which apps may use as well.

Protection against invasive in-browser apps

Mobile app users have just a few options. Besides the obvious, removing the app from the device, they may be able to redirect links to other browsers on the device. Not all apps support that though. The use of DNS-based content blockers may not help as much either, at least not against the potential reading of keystrokes or other activities unrelated to the display of ads or tracking.

Image Source: Felix Krause @ Twitter

You May Also Like


Google has updated how Chrome warns users about potentially harmful file downloads. While the blocking feature stays the same, Chrome will now show full-screen...


When dealing with Windows accounts, having a password is vital for security as it grants access to your user account. This step-by-step guide will...


The Thunderbird development team is hard at work on the upcoming release of Thunderbird 128 Nebula, the open-source email client. They have now shared...


Microsoft refers to ads as recommendations within Windows 11, which are visible in various areas of the operating system such as the Start menu,...