This tool checks if in-app browsers are tracking you

Image for article titled This tool checks if in-app browsers are tracking you

Photo: AngieYeoh (Shutterstock)

In-app browsers are bunk beds compared to full-featured browsing apps, but they also pose a major privacy and security risk. Many apps sneak data trackers onto websites you visit through their in-app browser using a method called Javascript injection, which adds extra code to a page as it loads. These trackers can scoop up browsing history, credentials, and even keyboard presses and text input.

While not always used for nefarious resources, Javascript injection is a potential security threat that has been difficult to control in in-app browsers until now. Fortunately, security researcher Flix Krause’s new ap(p)tly named tool, InAppBrowserchecks if an app’s built-in browser uses potentially dangerous Javascript injections to track your data.

While InAppBrowser only works in apps that have a built-in web browser tool, such as TikTok, Instagram, or Messenger, you can also use it on the desktop to check for Javascript injections from browser extensions.

InAppBrowser.com on Instagram

If you’re suspicious of an app or browser extension, give InAppBrowser a try and see if it does anything strange. Here’s how:

  1. on mobile [iOS/Android]: Open the app you want to test and load inappbrowser.com in the app’s built-in web browser. An easy way to do that is to send the link to yourself in a message, comment, or post. You can also open a link to a website in the app (any web link will work) and then go to
  1. On desktop: To test websites and browser extensions on desktop, open your preferred browser and go to inappbrowser.com.
  2. Once the site loads, you’ll see a message detailing possible sketchy Javascript behavior that InApBrowser intercepts (if any), plus an explanation of what the code can be used for.

These readouts can help you spot potentially malicious behavior, but there are some caveats to note.

Most importantly, InAppBrowser only warns you about the existence of Javascript injection and cannot tell if an app or browser extension is actually malicious. It even flags apps and browser extensions that use Javascript injection, but do not follow you all the way. That means private browser extensions that block a website’s trackers, apps that collect browsing data for advertising or troubleshooting (like TikTok), and malicious apps that spy on you outright all get the same warnings. Even Krause warns against jumping to conclusions if an app uses Javascript injection.

Likewise, InAppBrowser cannot warn you about other forms of tracking that apps, browsers and websites may use. That means an app can pass the InAppBrowser test, but still collect your data in other ways, so don’t rely on InAppBrowser as your only method of testing an app’s security. Still, it’s important to know whether an app uses Javascript injections, intentionally or unintentionally.so you can decide for yourself if the app is worth using.

If you find out that an app may be following you and you want to stop it, you have a couple of options. The best solution is to uninstall the app. If it’s not on your phone, it can’t track you.

If you want to keep an app nearby but restrict its tracking, go Go to the app’s settings and see if you can change the default browser to your preferred app, such as Safari, Firefox, or even Chrome. Safari is a particularly good option because recent versions block much of the Javascript behavior that InAppBrowser warns about.

Additionally, disable app tracking in iOS or Android Settings Menus. This is more effective for iOS users, but it can also hinder ad tracking on Android. Turn off location tracking, also. Frankly, we recommend adjusting these settings anyway, even if every app you use passes the Javascript inspection test.

[BleepingComputer]

Add a Comment

Your email address will not be published.