Person using a mobile phone

A new online tool named ‘InAppBrowser’ lets you analyze the behavior of in-app browsers embedded within mobile apps and determine if they inject privacy-threatening JavaScript into websites you visit.

The tool was created by developer Felix Krause who warned of this potentially risky behavior earlier in the month, explaining how easy it would be for in-app browsers to track anything the users see and do online by injecting JavaScript trackers on every web page they visit.

The potential of these injections includes accessing browsing history, logging behavior characteristics to derive interests, log taps and key presses, monitoring screenshot actions, and even capturing passwords you enter into login forms.

The revelations shook the communities of popular apps that feature embedded browsers, so to help users determine the behavior of their app’s activity, Krause released the ‘InAppBrowser‘ online tool and open-sourced its source code.

How to use InAppBrowser

To find if an app demonstrates potentially suspicious behavior, open the tool’s website (inappbrowser.com) through the app’s built-in browser.

For social media apps, post the link to https://InAppBrowser.com publicly and try to open it with the in-app browser. For messenger apps, send the link to yourself via DM and open it through the app’s browser.

These simple steps are enough to generate a report on JavaScript injections added to the websites by the app’s browser. However, it is essential to clarify that reports of no detections don’t mean that code injection can be excluded with certainty.

Clean test results when using Robinhood's in-app browser
Clean test results when using Robinhood’s in-app browser
Source: krausefx.com

“This tool can’t detect all JavaScript commands executed, as well as doesn’t show any tracking the app might do using native code (like custom gesture recognizers),” explains Krause in his writeup.

Similarly, reports of code injection don’t necessarily mean that the app is performing tracking activities but merely that the potential for abuse is present.

“Just because an app injects JavaScript into external websites doesn’t mean the app is doing anything malicious.” clarifies the report.

“There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.”

Further tests by BleepingComputer also showed that you could use the tool to find risky code injections created by extensions in desktop browsers.

When testing the tool with Chrome extensions installed, like the Phantom or Metamask cryptocurrency wallets, the InAppBrowser site detected various privacy-related code injections, shown below.

Desktop injections caused by Chrome cryptocurrency wallets
Desktop injections caused by Chrome cryptocurrency wallets
Source: BleepingComputer

The last alert in red in the image above was caused by the Phantom extension and not by MetaMask.

Furthermore, browser extensions work by injecting JavaScript into websites you visit, so detections for many extensions would not be unusual. However, our tests showed that many extensions did not generate any warnings with the tool.

As the tool was not designed to analyze browser extensions, BleepingComputer reached out to Krause to learn if these results were reliable.

Findings and dispute

The researcher claims to have found risky behavior on TikTok, Instagram, Facebook, and Messenger, while Snapchat and Robinhood came out clean in the tests.

Test results on various apps
Test results on various apps
Source: krausefx.com

For TikTok in particular, Krause found scripts that monitor keyboard input and screen taps. While there is no indication that TikTok abuses this ability, the researcher warns that it could be abused to gather sensitive information like passwords and credit card inputs.

TikTok's test results
TikTok’s test results on InAppBrowser
Source: krausefx.com

A TikTok spokesperson shared the following statement with Bleeping Computer stating that they do not use these scripts to collect keystroke or text inputs.

“The report’s conclusions about TikTok are incorrect and misleading.

The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects.

Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.” – TikTok.

Hence, TikTok admits that the code is there but underscores that it’s used solely to improve the user experience, not to track or breach users’ privacy.

Additionally, TikTok told Bleeping Computer that it does not track users everywhere they go on the web, but the company may receive limited data from advertisers about what its users do on third-party apps and websites for providing effective advertising solutions.

Bleeping Computer has also requested a comment from Facebook/Meta on the reported findings, but we have not received a response yet.

Source: www.bleepingcomputer.com