A new analysis of the Instagram app claims that every time a user clicks on a link in the app, Instagram can monitor all of their interactions, text selections, and even text input. , such as passwords and private credit card information in internal websites. the app.
The analysis conducted by Felix Krause found that Instagram and Facebook on iOS use their own in-app browsing, rather than the one provided by Apple for third-party apps. Most apps use Apple’s Safari for loading websites, but Instagram and Facebook use their own in-app browsers to load websites within the app.
This allows Instagram to monitor everything related to external websites without the consent of the user or the website provider.
The Instagram app injects their tracking code on all websites that are displayed, including reading ads, and they can monitor all user interactions, such as clicks and links. taps, text options, images, and other inputs, such as passwords, addresses, and credit card numbers.
According to Krause, it would take more effort for companies like Meta to develop and maintain their own browser-based apps, rather than using Apple’s built-in Safari. On its developer portal, Meta says “Meta Pika” is designed to “monitor visitor activity on your website” by monitoring all the activities that the user does in their browser. There is no evidence that Meta, which owns Instagram, has been able to collect as much user data as it can. Krause writes:
Is Facebook stealing my passwords, addresses and credit card numbers? No! I haven’t tested the exact data that Instagram is tracking, but I wanted to show you the types of data that they can do without you knowing. As previously mentioned, if a company can access data for free, without asking the user for permission, they will follow.
However, this practice violates Apple’s App Tracking Transparency (ATT) policy. ATT requires all apps to ask for users’ consent before tracking them across apps and websites owned by other companies.
Meta often backfires on Apple’s goal of letting users choose whether they want to be tracked or not. In December 2020, Meta published a full-page newspaper ad attacking Apple for the change. According to Krause, he shared his findings with Meta, who responded by saying they had confirmed the “issue” but had yet to respond. According to Krause, he gave Meta two weeks notice before deciding to share his findings.