Analysis Suggests Instagram Tracks User Web Activity Through In-App Browser

[MacRumors]

A new analysis of the Instagram app has suggested that every time a user clicks a link within the app, Instagram is capable of monitoring all of their interactions, text selections, and even text input, such as passwords and private credit card details within websites inside the app.

The analysis conducted by Felix Krause found that both Instagram and Facebook on iOS use their own in-app browser, rather than the one offered by Apple for third-party apps. Most apps use Apple's Safari for loading websites, but Instagram and Facebook have been using their own in-app browser to load websites within the app.

With their custom-built browser, still based on WebKit, Instagram and Facebook inject a tracking JavaScript code named "Meta Pixel" into all links and websites shown. With that code, Meta has total freedom to track users' interactions without their explicit consent, Krause finds.

This allows Instagram to monitor everything happening on external websites without the consent from the user, nor the website provider.

The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.

As Krause points out, it takes reasonable effort for companies like Meta to develop and maintain their own in-app browser rather than to use Apple's built-in Safari. On its developer portal, Meta claims "Meta Pixel" is designed to "track visitor activity on your website" by monitoring all events a user does within their custom-built browser. There is no evidence that Meta, which owns Instagram, has actively gathered the user data it's capable of collecting. As Krause writes:

Does Facebook actually steal my passwords, address and credit card numbers? No! I didn't prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it's possible for a company to get access to data for free, without asking the user for permission, they will track it.

However, this practice is in violation of Apple's App Tracking Transparency (ATT) policy. ATT requires that all apps ask for user consent before tracking them across apps and websites owned by other companies.

Meta has repeatedly pushed back against Apple's goal of giving users a choice on whether or not they wish to be tracked. In December 2020, Meta took out a full-page newspaper ad attacking Apple for the change. Krause says he shared his findings with Meta, which responded by saying they've confirmed the "issue" but have not responded since. Krause says he gave Meta a two-week notice before deciding to go public with his findings.

Article Link: Analysis Suggests Instagram Tracks User Web Activity Through In-App Browser

 

[ponzicoinbro]

No surprise.

And guess what?

FB tracks everyone who doesn’t even use their apps.

Look at your browser cookies and you will see.

Clear your browser cookies and see again after a couple of hours of random surfing.

 

[SwiftArtery]

Is anyone really surprised?

 

[TheYayAreaLiving 🎗️]

Never trust Facebook with anything.

 

[Smoovejayy]

I always figured that was the case when using any in-app browser, that's why I opt to open any of those links in the actual browser, not inside the app's browser.

 

[blazerunner]

I'm sure Apple tracks everything you do as well.

 

[TheYayAreaLiving 🎗️]

I'm sure Apple tracks everything you do as well.

They do but at least it is encrypted and cannot be decoded.

 

[dinobear]

I assumed they do do this already. the way links

I'm sure Apple tracks everything you do as well.

I don't think they do though. Not in the way fb does. Apple makes their money on iPhones and 30% app store cut, not selling our info.

 

[1557750]

This isn’t news. That’s what Facebook does.

Sucks. I use IG for an outlet for my art.

 

[Think|Different]

Yeah, this isn't really news. It's a web wrapper, just like Apple Music/iTunes has always been – of course they know what you are pressing.

 

[ponzicoinbro]

This isn’t news. That’s what Facebook does.

Sucks. I use IG for an outlet for my art.

If you follow random McDonalds fan accounts FB will put in the secret dark web database of your profile:

’iDarth loves McDonalds’

Then they sell that data to advertisers.

Now, I don’t want to mention it because politics is in the other section but…

…now see how dangerous this slippery slope is.

And if you look at the news yesterday you will see what FB did to a girl.

 

[techfreak23]

Anyone could have figured that out... I pretty much assumed the in-app browser did that, which is why if I ever do open a link I immediately open it Safari. The fact that they don't let you open directly to Safari like Reddit and others and they are using a custom web view not the Safari view are pretty big red flags.

 

[velocityg4]

I’m so surprised. You could knock me over with a feather.

 

[Return Zero]

Sad that many general consumers won't even realize the difference between the in-app browsers and their default browser. I think this should be included in the tracking opt-out... forcing the default browser.

 

[HorstBockman]

It even monitors user names and passwords? Just like Zuckerberg did at Harvard. He still hasn't grown up.

 

[sw1tcher]

They do but at least it is encrypted and cannot be decoded.

... by anyone except Apple.

 

[BootsWalking]

There is no evidence that Meta, which owns Instagram, has actively gathered the user data it's capable of collecting.

I'd like to submit the following evidence:

 

[doboy]

They'll claim it's an error, haha. One of the worst companies ever. Can't decide if this company is worse than the tobacco companies.

 

[sw1tcher]

It even monitors user names and passwords? Just like Zuckerberg did at Harvard. He still hasn't grown up.

That's because synthetic intelligence Android-lifeforms don't age (grow up).

 

[contacos]

I wonder why the EU isn’t looking more into all this ad tracking stuff when they are supposed to be so „pro user“ and privacy concerned.

Open any app with a vpn blocker and you will see that basically any app has some Facebook Graph crap installed, even if you don’t use Facebook or instagram

 

[McScooby]

Oof, I always figured the browser was a sandboxed thing, think I’m feelin a lil bit sick now!🤮

 

[jz0309]

Nooooo, this can't be true. I totally trust any and all social media to keep my data private ... NOT
/s

 

[SDJim]

Anyone with a brain already assumed this, lol, it is Facebook, after all. (sorry, MeTa)
There's reason they made the "open in browser" option ever so slightly more obscure in one of the recent updates. I noticed, because I ALWAYS exit the built-in browser.

 

[jz0309]

I wonder why the EU isn’t looking more into all this ad tracking stuff when they are supposed to be so „pro user“ and privacy concerned.

Open any app with a vpn blocker and you will see that basically any app has some Facebook Graph crap installed, even if you don’t use Facebook or instagram

cause it is more important to focus on USB-C and App developers and such. No politician (EU or not) cares about "normal people", there's no fame and money to be made

 

[SDJim]

I wonder why the EU isn’t looking more into all this ad tracking stuff when they are supposed to be so „pro user“ and privacy concerned.

Open any app with a vpn blocker and you will see that basically any app has some Facebook Graph crap installed, even if you don’t use Facebook or instagram

I'm assuming your wonder at the perpetual incompetence of politicians is tongue-in-cheek