iOS/Android Privacy: InAppBrowser.com – see what JavaScript commands get injected through an in-app browser · Felix Krause
Posted by jpluimers on 2022/08/31
Especially on Archive, but also on Android and other mobile operating systems, mobile apps can have their in-app browsers to circumvent the OS provided wrapper around the system browser.
On iOS, the Safari is the only system browser engine whereas on Android you can have other engines too, so less Android applications have in-app browsers.
Most of those in-app browsers are in social media applications that go to great length to keep their users inside a walled garden.
The site [Wayback/Archive] inAppBrowser.com helps checking how severely information is leaked through the in-app browser as those potentially have a lot of control. TikTok is worst capturing all input including credentials like user names and passwords.
(next to mobile browsers, you can of course also use it with web browsers from your personal computer, but in that case note that the outcome will highly depend on which browser extensions you have installed (as most install event listeners).
inAppBrowser.com was announced by [Wayback/Archive] iOS Privacy: Announcing InAppBrowser.com – see what JavaScript commands get injected through an in-app browser · Felix Krause which I found via [Wayback/Archive] Felix Krause on Twitter: “🔥 New Post: Announcing InAppBrowser – see what JavaScript commands get injected through an in-app browser 👀 TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all“.
Incidentally, at the same day, [Wayback/Archive] Scott Hanselman (@shanselman) was mad at apple for even allowing such in-app browsers:
- [Wayback/Archive] Scott Hanselman on Twitter: “Apple needs to KILL In-App Browsers. Just launch the damn default browser I trust.”
- [Wayback/Archive] “They just need to encourage in their ToS thay social media apps “link to bio” and what not need to launch normally. This isn’t about WebView usage, it’s about maliciously keeping the user from leaving their app”
Some of the above is based on the great insight presented by [Wayback/Archive] Roderick Gadellaa (@RGadellaa):
- [Wayback/Archive] “@jpluimers @KrauseFx Not entirely sure, but my guess is that this applies to Android as well, yes. Lots of apps are Good Citizens and use Chrome Custom Tabs (CCT), which actually uses the default browser engine of your choice to render a site. …”
- [Wayback/Archive] Roderick Gadellaa on Twitter: “@jpluimers @KrauseFx The “Chrome” in CCT is badly named btw… It wil use FF if that’s your default. No injected scripts and other shenanigans, and it comes with all cookies, user sessions, settings, extensions, etc, as you have them config’ed in the standalone browser.” / Twitter
- [Wayback/Archive] “@jpluimers @jaberwaki @breezydev_ @shanselman @googlechrome Well yes it will use FF *if* the app uses CCT. If the app does the IAB thing, so basically embedding a WebView inside the app itself, it’s almost certainly provided by the system. The WebView could be anything though, apps are allowed to ship their own render engines on Android.”
- [Wayback/Archive] “@jpluimers @jaberwaki @breezydev_ @shanselman @googlechrome So CCT = good, IAB = bad. iOS has something similar to CCT, but AFAIK it’s always Safari, not Chrome or FF if that’s your default.”
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply