This article is more than 1 year old

Meta iOS apps accused of injecting code into third-party websites

Company insists it's doing so 'to honor people’s App Tracking Transparency (ATT) choices'

Meta's Instagram and Facebook apps on iOS devices have been injecting JavaScript code into third-party websites from their custom in-app browser, gaining access to data that would be unavailable were those pages loaded in a stand-alone, WebKit-based iOS browser.

In-app browsers – implemented in native Android and iOS code using a component called a WebView – allow native app users to interact with websites without leaving their apps and opening free-standing browser applications. For this purpose, iOS offers WKWebView, part of the WebKit framework, and the more recent (and more privacy protecting) SFSafariViewController, part of the SafariServices framework.

Meta's apps rely on WKWebView, the more capable and customizable of the two options, both of which represent alternatives to opening web links in the iOS version of Safari.

"This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap," explained developer Felix Krause, founder of fastlane.tools, in a blog post exploring the privacy implications of Meta's apps.

These risks include inconveniences, like not having user login session data available (requiring further authentication during transactions), and not having access to mobile browser extensions like password managers. There are also security and privacy concerns that follow from any injected code – it could potentially read the contents of any web page in which it runs, alter ad identifiers, grab credentials, and so on.

There's no indication the injected script (pcm.js) does so. If you trust Meta, you should have no concern that its script might be revised with more pernicious functions. Meta maintains that the JavaScript code its apps add to websites helps aggregate events like online purchases for targeted advertising and analytics.

"The code in question allows us to respect people's privacy choices by helping aggregate events (such as making a purchase online) from pixels already on websites, before those events are used for advertising or measurement purposes," said Andy Stone, communications director at Meta, via Twitter.

Krause in his analysis of the code injection performed by the iOS Instagram and Facebook apps, revisited concerns he and others web developers have expressed numerous times in recent years.

Krause in fact filed a bug report with Apple about this in 2018. "Allowing apps to show third-party web content in an in-app web view (WKWebView) introduces a major security and privacy risk for iOS users," he wrote in a submission to Apple's privacy Radar bug tracking system and the public Open Radar site created because of Apple's peevish insistence on secrecy.

Privacy, we've heard of it

The problem, as web developers see it, is that Meta's apps undermine web privacy expectations and the browser choices made by iOS users, limited though such choices may be by Apple's now uncertain WebKit rule.

"In-App Browsers should not be allowed to subvert a user's choice of browser," said Open Web Advocacy, a group challenging anticompetitive web practices, via Twitter. "Both Apple and Google should enforce this from an OS level. OWA is advocating for users to be given control over what happens when they tap a link no matter what the app is."

Meta insists Krause has misunderstood its web page injection. "We intentionally developed this code to honor people’s App Tracking Transparency (ATT) choices on our platforms," a Meta spokesperson told The Register in an email. "The code allows us to aggregate data before it is used for targeted advertising or measurement purposes."

Apple's App Tracking Transparency, a privacy feature that Apple introduced last year that requires user consent for ad-related tracking, is expected to cost Meta $10 billion in ad revenue in 2022. So you can imagine how enthusiastic Meta is to comply.

It's also worth noting that in its eagerness to respect people's privacy decisions, Meta's Instagram and Facebook apps on iOS provide no way to opt-out of the ostensibly privacy-honoring code injection.

"The real scandal regarding FB's In-App 'Browser' isn't the extra tracking, it's the subversion of browser choice," said Alex Russell, a Microsoft Edge partner program manager, via Twitter. "I'm sure it's totally coincidental that this also has the effect of removing tracker blocking that real browsers might apply."

The Register asked Meta's spokesperson to elaborate on how injecting code in a custom in-app browser to assess user tracking preferences can be said to "honor people's [ATT] choices" when simply opening web pages in users' preferred browser or with the help of Apple's SFSafariViewController would do so more efficiently.

We've not heard back. ®

More about

TIP US OFF

Send us news


Other stories you might like