Felix Krause, back in September:
Last week I published a report on the risks of mobile apps
using in-app browsers. Some apps, like Instagram and Facebook,
inject JavaScript code into third party websites that cause
potential security and privacy risks to the user.
I was so happy to see the article featured by major media outlets
across the globe, like TheGuardian and The
Register, generated a over a million impressions on
Twitter, and was ranked #1 on HackerNews for more
than 12 hours. After reading through the replies and DMs, I saw a
common question across the community:
“How can I verify what apps do in their webviews?”
Introducing InAppBrowser.com, a simple tool to list the
JavaScript commands executed by the iOS app rendering the page.
It’s pretty creepy that TikTok both injects a JavaScript keylogger and does not have a button to open the current page in Safari.
I understand why in-app browsers are a thing on iOS (and iPadOS) but not on MacOS, but when you really think about it, it’s quite strange, and a vestige of the past when multitasking on iOS was so much more limited. Whenever possible, open links in Safari (or whatever your default browser is).