Did you know you’re potentially being tracked when you load an in-app browser on iOS? A new tool reveals exactly how, showing how applications like TikTok and Instagram can potentially use JavaScript to view sensitive data, including your address, passwords and credit card information, without your consent.
The tool can be found at InAppBrowser.com. All you need to do is open the app you want to check and share the InAppBrowser.com URL somewhere within it — such as DMing the link to a friend or posting it in a comment. From there, you can tap the link and get a report from the website on what scripts are running in the background.
Don’t be intimidated if you’re unfamiliar with tech jargon, as the tool’s developer, Felix Krause, provides some FAQs that explain exactly what you’re seeing. In response to questions on how best to protect yourself, Krause states, “Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser. During this analysis, every app besides TikTok offered a way to do this.”
TikTok responded to the site in a statement, provided earlier to Motherboard and now on Twitter, saying, “The report’s conclusions about TikTok are incorrect and misleading. Contrary to its claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting and performance monitoring.”
Krause is a security researcher and former Google employee who earlier this month shared a detailed report on how browsers within apps like Facebook, Instagram and TikTok can be a privacy risk for iOS users.
In-app browsers are used when you tap a URL within an app. While these browsers are based on Safari’s WebKit on iOS, developers can adjust them to run their own JavaScript code, allowing them to track your activity without consent from you or the third-party websites you visit.
Apps can inject their JavaScript code into websites, allowing them to monitor how the user is interacting with the app. This can include information on every button or link you tap, keyboard inputs and if screenshots were taken, though each app will vary in what information it collects.
In response to Krause’s earlier report, Meta justified the use of these custom tracking scripts by claiming that users already consent to apps like Facebook and Instagram tracking their data. Meta also claims that the data retrieved is only used for targeted advertising or unspecified “measurement purposes.”
“We intentionally developed this code to honour people’s [Ask to track] choices on our platforms,” a Meta spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes.”
They added: “For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”
The tool Krause developed isn’t foolproof. He admits it can’t detect all possible JavaScript commands being executed, and mentions that JavaScript is also used in legitimate development and isn’t inherently malicious. He notes, “This tool can’t detect all JavaScript commands executed, as well as doesn’t show any tracking the app might do using native code (like custom gesture recognizers).” Still, this offers a user-friendly way for iOS users to check on their digital footprint across their favorite applications.
Krause has also made the tool open source, stating, “InAppBrowser.com is designed for everybody to verify for themselves what apps are doing inside their in-app browsers. I have decided to open source the code used for this analysis, you can check it out on GitHub. This allows the community to update and improve this script over time.” You can read more about it on his website.
Update August 19th, 3:34PM ET: Added response from TikTok.
The college student who ran the now-banned @ElonJet Twitter account that used public information to track Elon Musk’s private jet has resumed his activities on Twitter under a new username. As noted by Insider, Jack Sweeney, 20, has created a new account called @ElonJetNextDay — which now tracks Musk’s private jet with a 24-hour delay to circumvent Twitter policy restrictions.
Sweeney’s original ElonJet account was suspended from the platform last week following accusations from Musk that it violated Twitter rules by revealing his live location. Twitter updated its policy to forbid publishing a person’s real-time location on the same day it suspended ElonJet. Sweeney said in an interview with Insider that he will be “posting manually” for now while he works on the framework to fully automate the account.
Musk tweeted on December 15th that “Posting locations someone traveled to on a slightly delayed basis isn’t a safety problem, so is ok.” Twitter also explicitly states that “sharing publicly available location information after a reasonable time has elapsed, so that the individual is no longer at risk for physical harm” is not a violation of platform rules. Elsewhere in the policy, it notes that its definition of “live” location data means someone’s real-time or same-day whereabouts.
Most commercial and private aircraft are equipped with Automatic Dependent Surveillance-Broadcast technology (ADS-B) that transmits a unique code (tied to the airplane’s tail number) containing information such as altitude and GPS location. This information is publicly available and aircraft flying in the USA and Europe are required to broadcast it in order to prevent midair collisions.
In a statement back in November, Musk said he would not ban the original ElonJet account as part of his “commitment to free speech” despite claiming it was a “direct personal safety risk.” The automated ElonJet account posted publicly available information regarding the location of Musk’s 2015 Gulfstream G650ER, and had amassed over 540,000 followers before it was permanently banned on December 14th. Musk previously offered Sweeney $5,000 to have the account taken down.
Early in November, Twitter’s roughly 7,500 employees received a terse email from a generic address: “In an effort to place Twitter on a healthy path, we will go through the difficult process of reducing our global work force.” The note was signed “Twitter.” On Nov. 3, some people at the company received emails indicating they would be laid off the next day.
That night, Ms. Solomon, her husband and a few colleagues headed to Dots Cafe Portland, a lounge on Clinton Street. Phones were on the table, face up, she said. As the work friends talked, they tapped away at their phones, taking part in chats on the Signal app with colleagues in London, Seattle and San Francisco. Messages like “I got hit” were flying across screens, Ms. Solomon recalled. “You were seeing your co-workers drop like flies,” she said.
By the next afternoon her team of about 10 engineers was reduced to four. Ms. Solomon and her husband had survived the round of layoffs. The next week, she recalled, she awaited further direction from Mr. Musk or the new executive team. Nothing came, she said, except for an email alerting employees that remote work would no longer be permitted, with few exceptions.
Many employees learned of Mr. Musk’s priorities by watching his Twitter feed, where he posted frequently about company business to his more than 100 million followers. On Nov. 5, he complained about the platform’s search function: “Search within Twitter reminds me of Infoseek in ’98! That will also get a lot better pronto,” he wrote. That same day, he tweeted: “Twitter will soon add ability to attach long-form text to tweets, ending absurdity of notepad screenshots.”
That was more than Ms. Solomon and many of her colleagues had heard internally. “Radio silence,” she said. She began to vent her frustration on Twitter.
One of her first tweets in this vein came on Nov. 6, shortly after Mr. Musk announced a new rule for Twitter users in a tweet: “Any name change at all will cause temporary loss of verified checkmark,” he wrote. He had posted that message after many people on Twitter had changed their names to variations on Mr. Musk’s name, most of them mocking.
Apple has removed the option to upgrade to the new HomeKit architecture on devices running iOS 16.2. The change follows multiple reports of issues and problems with the Home app after the upgrade was installed.
Apple spokesperson Emily Ewing confirmed the change in a statement provided to The Verge:
“We are aware of an issue that may impact the ability for users to share the Home within the Home app. A fix will be available soon. In the meantime, we’ve temporarily removed the option to upgrade to the new Home architecture. Users who have already upgraded will not be impacted.“
The new Home app architecture was one of the key features of iOS 16.2, with Apple claiming that the upgrade would be “more reliable and efficient.” MacRumors first discovered this week that the Home app in iOS 16.2 no longer offers the option to upgrade to the new architecture within the Home app settings. Several reporters at The Verge have also confirmed that the upgrade option is unavailable on their devices.
The new architecture was first introduced in the iOS 16.2 beta back in October as an optional upgrade before the iOS 16.2 public release on December 13th. Both the beta and public release required Apple devices logged into iCloud to be running the latest versions of iOS, macOS, and tvOS. The upgrade does not happen automatically when iOS 16.2 is installed on a phone, instead requiring a manual process through the Home app.
The update has caused issues with missing devices and adding multiple users for some
Reddit users who downloaded the optional upgrade prior to its removal have reported issues such as the app booting other members from a Home account and being unable to re-add them. Users on the MacRumors forum have reported being unable to invite users to share the Home, HomeKit devices being stuck displaying an “updating” status, and some accessories vanishing from the Home app entirely. Users who have already upgraded are unable to revert to the previous version of the app.
Update, December 23rd, 2022, 2:15PM ET: Added confirmation and statement from Apple spokesperson. Added links to Apple’s updated support pages.
