The Washington PostDemocracy Dies in Darkness

What TikTok and Facebook may track with their in-app browsers

These social apps are spinning up “custom browsers.” Privacy advocates don’t like it.

(Emma Kumer/The Washington Post)

When you want to open a link on Instagram or TikTok, your first instinct might be to just click on it. But be aware: You could be revealing whatever you do next to social media companies.

A recent report highlighted the use of “custom browsers” by iOS social apps, calling out Facebook parent Meta and TikTok for continuing to build their own in-app browsers rather than using the one Apple provides that comes with some built-in privacy protections.

Software developer Felix Krause sounded an alarm after finding that Meta and TikTok inject code into their browsers he said could monitor everything you tap or even act as a key logger — a tool that can gather what you type including passwords. Meta and TikTok confirmed that the code exists but said they don’t use it to snoop.

TikTok said the code is for “debugging, troubleshooting and performance monitoring.” Meta said the code helps it honor whatever selection the user made in Apple’s “ask app not to track” prompt. Using its own browser instead of Safari comes with security benefits, a Meta spokeswoman said, as well as a “more seamless and convenient experience for users.”

Here’s how concerned you should be — and how to get around custom browsers.

It’s unlikely these companies are collecting everything you type in outside websites, privacy experts said, but their use of custom browsers should still raise eyebrows. First, it’s not clear why a company would need debugging or performance monitoring on a website they don’t own, they said. Second, once a company sets up a system that could work as a key logger, they might leak data by mistake. And third, there’s no way to make sure the company or an outside entity doesn’t use the system for nefarious reasons in the future.

How to fix your ‘trash’ Instagram feed — at least temporarily

Some other iOS social apps, including LinkedIn and Snapchat, also use custom browsers but don’t appear to inject similar code, according to Krause’s analysis tool, which he made available to the public. Twitter, Reddit and others use Apple’s browser, they confirmed, which prevents apps from observing people’s activity after they open outside links. (Copying the link and opening it in a separate browser app would also prevent that type of snooping.) A spokeswoman for Twitter said the company switched to Apple’s tool in part to protect user privacy.

A LinkedIn spokeswoman said its browser helps it track when someone applies for a job or visits a site after interacting with content on LinkedIn, something the Safari tools wouldn’t allow. “We have strict limits on how we handle this information,” she said.

A Snap spokesman said its browser provides protections from malicious URLs that Apple’s does not.

Meta and TikTok’s decision to open outside websites through their own browsers — without making that clear in the moment — shows a lack of transparency, Krause said.

“The problem with this is that you never chose Instagram to be a browser. You chose Instagram to share photos or maybe send messages to friends,” he said.

And collecting data about what users do after opening links would be a boon for these companies’ advertising businesses, said Patrick Jackson, chief technology officer at anti-tracking company Disconnect.

“These companies that operate on data as their main revenue source, it’s classic of them to push the limits or do things a user is not aware of,” Jackson said. “We can’t just blindly trust these companies.”

Don’t despair, though. Meta’s choices still fall within Apple’s boundaries, noted mobile development analyst Eric Seufert. And there’s a good chance Apple will eventually introduce technical boundaries or app review processes that address these risks, Krause said.

Cell carrier privacy settings to change now

An Apple spokesman said it requires developers to disclose what data their browser features collect and what that data is used for. Any app that gets caught collecting “private” data such as passwords would be removed from the App Store, he said. He didn’t directly respond to questions about Apple’s plans related to custom browsers.

To avoid potential creepiness, open links in Instagram, Facebook, Snap and LinkedIn by opening the link then tapping the three dots in the upper right corner and selecting “open in browser.”

To change your default browser on an iOS device, open Settings, scroll to the browser app you want and select it, then tap “default browser app” and make your selection. For more private browsing, we recommend Firefox, DuckDuckGo, Brave or Safari.

TikTok doesn’t appear to give the option to open links in a separate browser. You can always copy links and paste them into a separate browser app.

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Go deeper: Tech in Your Life | Tech at Work | Your Data and Privacy | Internet Access | What’s New | Ethical Issues

Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android

Ask a question: Send the Help Desk your personal technology questions.

Loading...