Analysis suggests Instagram tracks users’ web activity through in-app browser


A new analysis of the Instagram app has suggested that whenever a user clicks on a link in the app, Instagram is able to monitor all of their interactions, text selections, and even text input, such as words of password and private credit card details on inside websites. the app.

Analysis conducted by Felix Krause revealed that Instagram and Facebook on iOS use their own in-app browser, rather than the one offered by Apple for third-party apps. Most apps use Apple’s Safari to load websites, but Instagram and Facebook use their own built-in browsers to load websites into the app.

With their custom browser, still based on WebKit, Instagram and Facebook inject a tracking JavaScript code named “Meta Pixel” into all displayed links and websites. With this code, Meta has complete freedom to track user interactions without their explicit consent, Krause finds.

This allows Instagram to monitor everything that happens on external websites without the consent of the user or the website provider.

The Instagram app injects its tracking code into every website viewed, including when you click on ads, allowing them to monitor all user interactions like every button and link tapped, text selections, screenshots screen, as well as all form entries, such as passwords, addresses, and credit card numbers.

As Krause points out, it takes reasonable effort for companies like Meta to develop and maintain their own in-app browser rather than using Apple’s built-in Safari. On its Developer Portal, Meta claims that “Meta Pixel” is designed to “track visitor activity on your website” by monitoring all events a user performs in their custom browser. There is no evidence that Meta, owner of Instagram, has actively collected the user data it is able to collect. As Krause writes:

Is Facebook Really Stealing My Passwords, Address, and Credit Card Numbers? Nope! I haven’t proven the exact data Instagram tracks, but I wanted to show what kind of data they might be getting without you knowing. As stated in the past, if it is possible for a company to access data for free, without asking the user’s permission, it will track it.

However, this practice violates Apple’s Application Tracking Transparency (ATT) policy. ATT requires all apps to seek user consent before tracking them on apps and websites owned by other companies.

Meta has repeatedly pushed back against Apple’s goal of giving users a choice over whether or not they want to be tracked. In December 2020, Meta ran a full-page ad in a newspaper attacking Apple for change. Krause says he shared his findings with Meta, who responded saying they had confirmed the “issue” but have not responded since. Krause says he gave Meta two weeks notice before deciding to go public with his findings.


About Author

Comments are closed.