A new analysis from the Instagram app has suggested that every time a user clicks on a link within the app, Instagram changes all their interactions, text selections and even text inputs, such as passwords and private credits. Capable of monitoring card details within websites. App.
An analysis by Felix Krauss found that both Instagram and Facebook on iOS use their respective in-app browsers, and not the browsers offered by Apple for third-party apps. Most apps use Apple’s Safari to load websites, but Instagram and Facebook are using their own in-app browsers to load websites within the app.
This allows Instagram to monitor everything that happens on external websites without the consent of the user nor the website provider.
The Instagram app injects its tracking code into every website shown, including when ads are clicked, enabling them to monitor all user interactions, such as every button and link tapped, text selections, screenshots, as well as passwords. , any form inputs such as addresses, and credit card numbers.
As Krause points out, it takes a fair amount of effort for companies like Meta to develop and maintain their own in-app browser instead of using Apple’s built-in Safari. On its developer portal, Meta claims that the “meta pixel” is designed to “track visitor activity on your website,” monitoring all user events in their custom-built browser. There is no evidence that Meta, which owns Instagram, actively collected user data that it was able to collect. As Krauss writes:
Does Facebook really steal my password, address and credit card number? No! I didn’t prove that Instagram is tracking accurate data, but I wanted to show the kind of data they could have gotten without you knowing. As shown in the past, if it is possible for a company to gain free access to data without asking the user for permission, they will track it.
However, this practice is a violation of Apple’s App Tracking Transparency (ATT) policy. ATT requires that all apps ask for user consent before tracking them on apps and websites owned by other companies.
Meta has repeatedly pushed back against Apple’s goal of giving users a choice of whether or not they wish to be tracked. In December 2020, Meta took out a full-page newspaper ad attacking Apple for the change. Krauss says he shared his findings with Meta, which responded that he “confirmed the issue” but hasn’t responded since. Cross says he gave Meta two weeks’ notice before deciding to go public with his findings.