Home / iOS / Tool shows JavaScript code injected via in-app browser

Tool shows JavaScript code injected via in-app browser

A few days ago, developer Felix Krause shared a detailed report on how mobile apps can use their own in-app web browser to track user data. Now Krause is back with a new tool that lets anyone see JavaScript commands injected through an in-app browser.

The platform is called “InAppBrowser,” and any interested user can access it to check how a web browser embedded within an app injects JavaScript code to track people.

For those unfamiliar, an in-app browser usually comes into action when a user taps on a URL within an app. This way, the app shows the webpage without having to redirect the user to an external browser app, such as Safari or Google Chrome.

However, although these in-app browsers are based on Safari’s WebKit on iOS, developers can modify them to run their own JavaScript code. As a result, users are more susceptible to being tracked without their knowledge. For instance, an app can use a custom in-app browser to collect all the taps on a webpage, keyboard inputs, website title, and more.

Such data can be used to create a digital fingerprint of a person. In most cases, data collected from people on the web is used for targeted advertising. Krause notes that the platform can’t detect all JavaScript commands, but it still gives users more insight into what data the apps are collecting.

Using the InAppBrowser tool is quite simple. First, you open an app that you want to analyze. Then you share the URL “https://InAppBrowser.com” somewhere inside the app (you can send it as a DM to a friend). Tap the link inside the app to open it and get a report about the JavaScript commands.

Krause has also tested the tool with some popular apps so that you don’t have to do this. For example, TikTok can monitor all keyboard inputs and screen taps when you open a URL using the in-app browser. Meanwhile, Instagram can even detect all text selections on websites.

Of course, the developer also notes that not every app that injects JavaScript code into an in-app browser does so for malicious purposes, since JavaScript is the basis of many web features. You can find more details about this on Krause’s website.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

Source link

About Deep into Tech

Check Also

PSA: Don’t try to use iOS 16’s iCloud Shared Photo Library yet

Apple is close to launching a major new feature in the Photos app that makes ...

Leave a Reply

Your email address will not be published.