Instagram and Facebook's iOS in-app browsers can monitor users' interactions with any website, report

The practice would violate the App Tracking Transparency policy set out by Apple

According to a recent investigation, Facebook and Instagram's in-app browsers on iOS can monitor user activity with websites without the user's knowledge.

Meta-owned Facebook and Instagram both use their own in-app browsers on iOS, rather than the one provided by Apple for third-party applications, claims software developer and Fastlane founder Felix Krause.

The majority of third-party apps load webpages using Apple's Safari browser, while Facebook and Instagram go a different way and utilise their own in-app browser to do it.

According to Krause, Instagram and Facebook inject a tracking JavaScript code known as 'Meta Pixel' into each linked website using their custom-built browser, which is still based on WebKit.

Using the code, Meta can secretly observe all user interactions and activities without their consent, the analysis claimed.

Meta Pixel is a snippet of code that can be embedded on a third-party website to track users' activities as they browse the website. Each page a person views, the buttons they click, and the details they enter into the portal may all be tracked and recorded by Meta Pixel.

"This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap," Krause says in his blog.

"The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers."

This practice violates the App Tracking Transparency (ATT) policy set out by Apple. The policy, which was introduced with iOS 14.5, requires that apps get users' consent before tracking their data across third-party applications. Meta claims the policy has cost it billions in lost advertising revenue.

Krause said that he informed Meta about the issue through their Bug Bounty Programme. Meta acknowledged the problem, but otherwise did not respond within two weeks, so Krause decided to go public.

While he doesn ' t have a list of specific data that Instagram sends back to its parent company, he claims to "have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JS SDK without the user ' s consent, as well as tracking the user ' s text selections."

He continues: "If Instagram is doing this already, they could also inject any other JS code. The Instagram app itself is well protected against human-in-the-middle attacks, and only by modifying the Android binary to remove certificate pinning and running it in a simulator, I was able to inspect some of its web traffic."

This finding follows a recent class action lawsuit against Meta in the United States, which alleged that the company is illegally collecting patients' sensitive health information for targeted advertising.

According to the complaint, websites of 33 of the top 100 hospitals in the US, as well as, password-protected web portals of seven healthcare systems have included Meta's Pixel monitoring tool, which gathers patients' data and shares it with Facebook, in violation of state and federal regulations.

Update 12th August 2022 - Since posting this article, Meta has contacted Computing to share the below comment from a spokesperson:

"These claims are false and misrepresent how Meta's in-app browser and Pixel work. We intentionally developed this code to honor people's App Tracking Transparency choices on our platforms."