In-App Browsers — A Hidden Threat To Your Privacy

By Shareef Salman
Security Auditor & Engineer

In August 2022, security researcher Felix Krause published a series of blogs in which he revealed that Instagram, Facebook and TikTok were not only able to monitor your behavior on their apps but, to the frustration of users, they were also able to monitor user activity on their in-app browsers. Since then, per our research, there hasn’t been any indication that these companies have addressed these privacy concerns. With that disclaimer and working assumption in mind, let’s jump into the topic.

When you click on a link within an app, you’re not necessarily viewing that URL in your browser of choice, like Safari, Chrome or DuckDuckGo. Instead, some apps, including those owned by tech giants TikTok and Meta, have an embedded version of a browser built into the app, also known as in-app browsers. While there are practical advantages of in-app browsers to both the app provider and the customer, there are also major privacy concerns.

This blog post will briefly outline these advantages and privacy concerns, in addition to recommending ways for customers to safeguard their privacy.

Advantages of In-App Browsers

In app-browsers require resources and effort to create and maintain. So, why bother?

• Smooth Experience: The in-app browser makes it easier for customers to explore websites and connect to dApps without leaving the app. Customers can manage their dApp accounts, read articles, watch videos, or shop without the disruption of switching between apps.
• Increased Engagement: By enabling customers to remain within the app, they are more likely to spend additional time on the platform. This is beneficial for app developers who monetize through ads or subscriptions.
• Cohesive Design: Developers can customize the in-app browser to complement the app’s style, creating a more cohesive and visually consistent experience for the customer.
• Tailored Content: In-app browsers allow developers to discern the types of links or content customers prefer, which can lead to a more personalized app experience for each customer.
• Streamlined Logins and Payments: In-app browsers simplify the login and payment processes for customers, reducing the inconvenience of switching between different applications to authenticate or complete a transaction.
• Rapid Deployment: For developers, using an in-app browser is often a more expedient method for integrating certain features than building them directly into the app, ultimately providing customers with quicker access to new functionalities.

However, the convenience for the user and data gathering potential for the app developers comes at a cost. I will outline three of the most significant risks here.

Risks of In-App Browsers

Privacy Concerns

As mentioned previously, privacy concerns garnered media attention in 2022. One of the biggest issues at the time — and to this day — was that in-app browsers inject JavaScript codes into third-party websites.

As Krause wrote at the time: “The Instagram app injects their JavaScript code into every website shown, including when clicking on ads. Even though the injected script doesn’t currently do this, running custom scripts on third-party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers”. Similar results have been found and published by the same researcher regarding TikTok.

That’s right, they have the potential to spy on all your activities and potentially access sensitive data including JSON Web Token (JWT), cookies and sessions. This not only means that your private data can be collected and sold, but when it comes to financial apps (including crypto apps) this could result in your funds being stolen.

Now, I should emphasize that while there is no evidence of social media giants or others nefariously using your data in this manner, the very fact that they have the potential to do so should sound the alarm bells.

Using An Outdated Browser: A Hidden Risk

Despite the sleek interface provided by in-app browsers, there’s a lesser-known detail that could be crucial for your digital security. The core of the in-app browser is not a part of the app you downloaded; it’s actually powered by the underlying technology of your device’s operating system. For example, Android uses a component called WebView, which is updated through the OS updates and can be independently updated via the Google Play Store.

However, if you’re not regularly updating your operating system, you could be inadvertently relying on an older version of this in-app browser. The concern here is that older browsers may lack the defenses needed to protect against the latest cyber threats. This outdated defense could leave not just the app, but your personal data and even your device, vulnerable to exploits. Moreover, apps that are not regularly updated may harbor vulnerabilities in their own code.

The Pitfall of Bugs in Custom Browsers

App developers often put their own spin on the in-app browsers they include in their apps, which could mean a redesigned user interface or other customizations. While browsers like Chrome are subject to rigorous testing by a vast pool of users, helping to quickly identify and address bugs, in-app browsers do not benefit from this level of scrutiny. For example, if a site you visit lacks a secure SSL certificate, mainstream browsers like Chrome will warn you. In the case of in-app browsers, however, bugs might prevent such a warning from being displayed, leading to a potentially unsafe browsing experience.

Moreover, when developers integrate these custom browsers, they take on additional responsibilities, such as ensuring secure communication between the app and the browser. If they fall short in sanitizing this data exchange, there’s a risk that a harmful website could send a malicious payload to the app, endangering both user data and finances.

Solutions

Navigating Safely: Recommendations For Users

So, with all these risks outlined, what can you do? In an ideal world, you should familiarize yourself with the privacy policies of the apps you use, to understand what data is collected and how it is used. But the reality is that only a fraction of people read privacy policies.

In general, users should be cautious about entering sensitive information within an in-app browser. If you inadvertently click on a link or an ad within an app, the best practice is to close it immediately. Instead, as others have suggested, you should take the following steps:

• Opt for a secure, dedicated browser. Many apps offer the option to open links in Safari or your device’s default browser. This can typically be accessed through an in-app setting, often indicated by three dots or a ‘Settings’ button. Within the settings menu, look for an ‘Open in Browser’ option. If no such option is visible, manually copy the URL from the in-app browser and paste it into your browser of choice.
• Use the service’s web version. Another secure alternative is to utilize the web versions of services, particularly social media platforms. Accessing platforms like Facebook or Instagram via their web versions on a secure browser minimizes the risk of unintentionally sharing personal data and may also contribute to reducing overall social media consumption.

At Thesis Defense, we pride ourselves on our expertise. Our team of security auditors have carried out hundreds of security audits for decentralized systems across a number of technologies including smart contracts, wallets + browser extensions, bridges, node implementations, cryptographic protocols, and dApps. We offer our services within a variety of ecosystems including Bitcoin, Ethereum + EVMs, Stacks, Cosmos / Cosmos SDK, NEAR and more.

To learn more about our services and get a free quote, schedule a call or email us @ defense@thesis.co. For more information about Thesis Defense, visit us on our website, blog and X (Twitter).