In-app browsers are bunk compared to full-featured browsing apps, but they’re also a major privacy and security risk. Many apps sneak data trackers onto websites you visit through their in-app browser using a method called Javascript injection, which adds extra code to a page as it loads. These trackers can scoop up browsing history, login data, and even keyboard presses and text entry.
While not always used for nefarious means, Javascript injection is a potential security threat that, until now, was difficult to check for inside in-app browsers. Luckily, security researcher Flix Krause’s new ap(p)tly named tool, InAppBrowserchecks if an app’s built-in browser uses potentially dangerous Javascript injections to track your data.
While InAppBrowser only works in apps that have a built-in web browser tool, such as TikTok, Instagram, or Messenger, you can also use it on the desktop to check for Javascript injections from browser extensions.
If you’re suspicious of an app or browser extension, give InAppBrowser a try to see if it’s doing anything fishy. Here’s how:
- On mobile [iOS/Android]: Open the app you want to test and load inappbrowser.com in the app’s built-in web browser. An easy way to do that is to send the link to yourself in a message, comment, or post. Alternatively, open a link to a website in the app (any web link works), then go to https://inappbrowser.com.
- On desktop: To test websites and browser extensions on desktop, open your preferred browser and go to inappbrowser.com.
- Once the site loads, you’ll see a message detailing any potentially sketchy Javascript behavior InApBrowser intercepts (if any), plus explanations of what the code may be used for.
These readouts can help you spot possible malicious behavior, but there are a few caveats to mention.
Most importantly, InAppBrowser only alerts you to the existence of Javascript injection and can’t tell if an app or browser extension is actually malicious. It even flags apps and browser extensions that use Javascript injection don’t track you at all. That means private browsing extensions that block a website’s trackers, apps collecting browsing data for advertising or troubleshooting reasons (like TikTok), and malicious apps that outright spy on you will all trip the same warnings. Even Krause warns against jumping to conclusions if an app uses Javascript injection.
G/O Media may get a commission
Up to 85% off
Jachs NY Summer Sale
Styles starting at $10
This sitewide sale will prepare you for any style situation that may arise in the transition between seasons—whether it be a henley and jeans or a button up and chino shorts moment.
Similarly, InAppBrowser can’t alert you to other forms of tracking apps, browsers, and websites may use. That means an app may pass InAppBrowser’s test but still collect your data by other means, so don’t rely on InAppBrowser as your sole method for testing an app’s safety. Still, it’s important to know if an app uses Javascript injections—maliciously or otherwise—so you can decide for yourself if the app is worth using.
If you find out an app might be tracking you and you want to stop it, you have a couple options. The best solution is to delete the app. If it’s not on your phone, it can’t track you.
If you want to keep an app around but curb its tracking, go to the app’s settings and see if you can change the default browser to your preferred app, like Safari, Firefox, or even Chrome. Safari is an especially good option since recent versions block many of the Javascript behaviors InAppBrowser warns against.
Additionally, disable app tracking in the iOS or Android settings menus. This is more effective for iOS users, but it can stymie ad tracking on Android, too. Turn off location tracking, as well. Frankly, we recommend tweaking these settings anyway, even if every app you use passes the Javascript inspection test.
[BleepingComputer]
.