Software developer Felix Krause has raised the alarm after discovering that Meta and TikTok are injecting code into their browsers that he claims can monitor everything you press or even act as a keylogger – a tool that can gather this you type, including passwords. Meta and TikTok have confirmed the code exists but said they are not using it for spying.
TikTok said the code was for “debugging, troubleshooting and performance monitoring”. Meta said the code helps it honor the selection made by the user in Apple’s “ask app not to track” prompt. Using your own browser instead of Safari has security benefits, a Meta spokeswoman said, as well as a “more seamless and convenient experience for users.”
Here’s how much you should be worried about and how to bypass custom browsers.
These companies are unlikely to collect everything you type on external websites, privacy experts said, but their use of custom browsers should still raise eyebrows. First, it’s unclear why a company would need debugging or performance monitoring on a website it doesn’t own, they said. Second, once a company has implemented a system that could function as a keylogger, it may leak data in error. And third, there is no way to ensure that the company or an outside entity does not use the system for nefarious reasons in the future.
How to Fix Your “Trash” Instagram Feed – At Least Temporarily
Some other iOS social apps, including LinkedIn and Snapchat, also use custom browsers but don’t appear to inject similar code, according to Krause’s analytics tool, which it has made publicly available. Twitter, Reddit and others use Apple’s browser, they confirmed, which prevents apps from observing people’s activity after opening external links. (Copying the link and opening it in a separate browser app would also prevent this kind of spying.) A Twitter spokeswoman said the company opted in to Apple’s tool in part to protect the privacy of users. users.
A LinkedIn spokeswoman said its browser helps it know when someone applies for a job or visits a site after interacting with content on LinkedIn, which Safari tools wouldn’t allow. “We have strict limits on how we process this information,” she said.
A Snap spokesperson said its browser offers protections against malicious URLs, while Apple’s does not.
Meta and TikTok’s decision to open external websites through their own browsers — without specifying this at this time — shows a lack of transparency, Krause said.
“The problem with that is you never chose Instagram as your browser. You chose Instagram to share photos or maybe message friends,” he said.
And collecting data on what users do after opening links would be a boon to the advertising business of these companies, said Patrick Jackson, chief technology officer of anti-tracking firm Disconnect.
“These companies that use data as their primary source of revenue, it’s classic for them to push the envelope or do things that a user isn’t aware of,” Jackson said. “We can’t just blindly trust these companies.”
Don’t despair, however. Meta’s choices are still within Apple’s boundaries, noted mobile development analyst Eric Seufert. And there’s a good chance Apple will eventually introduce technical limits or app review processes that address those risks, Krause said.
Mobile carrier privacy settings need to be changed now
An Apple spokesperson said it requires developers to disclose what data their browser features collect and what that data is used for. Any app caught collecting “private” data such as passwords would be removed from the App Store, he said. He did not respond directly to questions about Apple’s plans for custom browsers.
To avoid any potential scares, open links in Instagram, Facebook, Snap, and LinkedIn by opening the link, then tapping the three dots in the top-right corner and selecting “open in browser.”
To change your default browser on an iOS device, open Settings, scroll to the desired browser app and select it, then tap “default browser app” and make your selection. For more private browsing, we recommend Firefox, DuckDuckGo, Brave, or Safari.
TikTok doesn’t seem to offer the ability to open links in a separate browser. You can always copy links and paste them into a separate browser app.