Security Experts:

Connect with us

Hi, what are you looking for?



New Open Source Tool Shows Code Injected Into Websites by In-App Browsers

A researcher has conducted an analysis to see how major companies could track user activity through their mobile in-app browsers, and released a free and open source tool that allows anyone to check what code is being injected by such browsers.

A researcher has conducted an analysis to see how major companies could track user activity through their mobile in-app browsers, and released a free and open source tool that allows anyone to check what code is being injected by such browsers.

Some mobile applications use built-in browsers to allow users to quickly access third-party websites. Other apps include a browser to load their own resources, which may be needed to perform various activities. However, these internal browsers could also pose security and privacy risks.

Researcher Felix Krause published a blog post earlier this month claiming that the iOS apps of Instagram and Facebook could monitor everything a user does on an external website opened through the application’s internal browser. This claim was based on the JavaScript code the applications inject into the website displayed by the in-app browser.

Later tests showed that TikTok also injects JavaScript code that modifies the content of the third-party websites opened through the social media app. TikTok appears to monitor all keyboard inputs and screen taps, potentially allowing the company to collect passwords and other sensitive information entered via the built-in browser.

Meta said the code is being injected as part of an App Tracking Transparency (ATT) mechanism that helps the company respect users’ privacy choices. TikTok confirmed that the keylogging code exists, but said it’s not actually being used.

JavaScript code injected by TikTok

However, Krause says his analysis highlights the potential security and privacy risks associated with JavaScript code getting injected by in-app browsers into third-party websites. That is why last week he released a free and open source tool that anyone can use to check what code is being executed through these in-app browsers.

The online tool, named InAppBrowser, displays the JavaScript code that is injected when the website is opened with an in-app browser. It also provides information on what each command does.

While the tool can provide some useful information, Krause pointed out that it cannot detect all the JavaScript executed by the browser and it also does not provide any information on the tracking mechanisms implemented using native code. In addition, some applications can hide their JavaScript activities, including by using Apple’s WKContentWorld object, which is designed to separate the app from the webpages and scripts it executes.

On the other hand, the researcher noted, “Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.”

Users who are concerned about the potential risks should always open websites in their phone’s browser rather than the in-app browser. Popular apps often provide the ‘Open in browser’ option for this task, or users could simply copy and paste the URL.

Krause also noted that some iOS apps follow Apple’s recommendation and use Safari or the Safari view controller for accessing external websites, and this prevents them from injecting their own code.

The InAppBrowser source code is available on GitHub. The app can work for both Android and iOS applications.

Related: Apple to Tighten App Privacy, Remove Apps That Don’t Comply

Related: Google Details New Privacy and Security Policies for Android Apps

Related: Google Introduces ‘Privacy Sandbox’ for ​​Ads on Android

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...