new tool checks if a mobile app's browser is a privacy risk

A new online tool named ‘InAppBrowser’ lets you analyze the behavior of in-app browsers embedded within mobile apps and determine if they inject privacy-threatening JavaScript into websites you visit.

The tool was created by developer Felix Krause who warned of this potentially risky behavior earlier in the month, explaining how easy it would be for in-app browsers to track anything the users see and do online by injecting JavaScript trackers on every web page they visit.

The potential of these injections includes accessing browsing history, logging behavior characteristics to derive interests, log taps and key presses, monitoring screenshot actions, and even capturing passwords you enter into login forms.

The revelations shook the communities of popular apps that feature embedded browsers, so to help users determine the behavior of their app’s activity, Krause released the ‘InAppBrowser’ online tool and open-sourced its source code.

How to use InAppBrowser

To find if an app demonstrates potentially suspicious behavior, open the tool’s website (inappbrowser.com) through the app’s built-in browser.

For social media apps, post the link to https://InAppBrowser.com publicly and try to open it with the in-app browser. For messenger apps, send the link to yourself via DM and open it through the app’s browser.

These simple steps are enough to generate a report on JavaScript injections added to the websites by the app’s browser. However, it is essential to clarify that reports of no detections don’t mean that code injection can be excluded with certainty.

new tool checks if a mobile app's browser is a privacy risk

Clean test results when using Robinhood’s in-app browser Source: krausefx.com

“This tool can’t detect all JavaScript commands executed, as well as doesn’t show any tracking the app might do using native code (like custom gesture recognizers),” explains Krause in his writeup.

Similarly, reports of code injection don’t necessarily mean that the app is performing tracking activities but merely that the potential for abuse is present.

“Just because an app injects JavaScript into external websites doesn’t mean the app is doing anything malicious.” clarifies the report.

“There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.”

Further tests by BleepingComputer also showed that you could use the tool to find risky code injections created by extensions in desktop browsers.

When testing the tool with Chrome extensions installed, like the Phantom or Metamask cryptocurrency wallets, the InAppBrowser site detected various privacy-related code injections, shown below.

new tool checks if a mobile app's browser is a privacy risk

Desktop injections caused by Chrome cryptocurrency wallets Source: BleepingComputer

The last alert in red in the image above was caused by the Phantom extension and not by MetaMask.

Furthermore, browser extensions work by injecting JavaScript into websites you visit, so detections for many extensions would not be unusual. However, our tests showed that many extensions did not generate any warnings with the tool.

As the tool was not designed to analyze browser extensions, BleepingComputer reached out to Krause to learn if these results were reliable.

Findings and dispute

The researcher claims to have found risky behavior on TikTok, Instagram, Facebook, and Messenger, while Snapchat and Robinhood came out clean in the tests.

new tool checks if a mobile app's browser is a privacy risk

Test results on various apps Source: krausefx.com

For TikTok in particular, Krause found scripts that monitor keyboard input and screen taps. While there is no indication that TikTok abuses this ability, the researcher warns that it could be abused to gather sensitive information like passwords and credit card inputs.

new tool checks if a mobile app's browser is a privacy risk

TikTok’s test results on InAppBrowser Source: krausefx.com

A TikTok spokesperson shared the following statement with Bleeping Computer stating that they do not use these scripts to collect keystroke or text inputs.

“The report’s conclusions about TikTok are incorrect and misleading.

The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects.

Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.” – TikTok.

Hence, TikTok admits that the code is there but underscores that it’s used solely to improve the user experience, not to track or breach users’ privacy.

Additionally, TikTok told Bleeping Computer that it does not track users everywhere they go on the web, but the company may receive limited data from advertisers about what its users do on third-party apps and websites for providing effective advertising solutions.

Bleeping Computer has also requested a comment from Facebook/Meta on the reported findings, but we have not received a response yet.

Keyword: New tool checks if a mobile app's browser is a privacy risk

TECH'S NEWS RELATED

Feeding behavior traits may be an indicator of feed efficiency in Holstein cows

New research on Holstein cows published in the Journal of Dairy Science finds that measures of feeding behavior could be useful indicators of dairy cow feed efficiency, and individual cows that eat at a slower rate may be more feed efficient. Credit: Ken Olson, PhD, PAS Genetic selection is ...

View more: Feeding behavior traits may be an indicator of feed efficiency in Holstein cows

Have an Old Echo Dot? Eero Wants to Turn It Into a Mesh Wi-Fi Extender for Free

Amazon's fourth-gen Echo and Echo Dot speakers will soon be able to act as mesh extenders for Eero's Wi-Fi routers.

View more: Have an Old Echo Dot? Eero Wants to Turn It Into a Mesh Wi-Fi Extender for Free

Can a focus on politicians make the EU seem more human?

Katjana Gatterman, 2022, “The Personalization of Politics in the European Union,” Oxford University Press. Credit: Oxford University Press Individual politicians and their messages increasingly matter for our interest and trust in politics. Think only of the political figures in your country and how they influence your opinion. But little ...

View more: Can a focus on politicians make the EU seem more human?

Exploring a new algorithm for reconstructing particles

Schematic representation of the right-handed Cartesian coordinate system adopted to describe the detector. Credit: The European Physical Journal C (2022). https://link.springer.com/article/10.1140/epjc/s10052-022-10665-7 A team of researchers from CERN, Massachusetts Institute of Technology, and Staffordshire University have implemented a new algorithm for reconstructing particles at the Large Hadron Collider. The Large ...

View more: Exploring a new algorithm for reconstructing particles

Can gold mining be more sustainable?

Left—an isolated ASGM site in the Amazon (image by Sue Palminteri/Mongabay). Right—an aerial photo depicting the considerable extent of ASGM operations in the Peruvian Amazon (image by Rhett A. Butler/Mongabay). Credit: Land Degradation & Development (2022). DOI: 10.1002/ldr.4430 In a review paper recently published in the journal Land Degradation ...

View more: Can gold mining be more sustainable?

Newly discovered protein could be used to produce life-saving antifungals

Yeast with a red fluorescent protein marking the vacuole—the nutrient storage compartment of the cell—and a green fluorescent protein marking aggregates of TORC1 that form in cells missing Ait1. Credit: Andrew Capaldi and team Like bacteria, yeasts are found everywhere, even in and around our bodies. And, as with ...

View more: Newly discovered protein could be used to produce life-saving antifungals

Strictly Limited Games announces Snow Battle Princess Sayuki physical edition

The Germany-based Strictly Limited Games has announced that its next physical release will be for Snow Battle Princess Sayuki, a spiritual successor to the iconic Pocky and Rocky series that originally launched for the Wii back in 2007 before getting a digital Switch port in 2019. If you’re familiar with ...

View more: Strictly Limited Games announces Snow Battle Princess Sayuki physical edition

You Can Now Find Songs on Deezer Just by Humming

Diego Thomazini/Shutterstock.com Music streaming platform Deezer just made it a lot easier to find songs you don’t know the name of. In a blog post, the company announced its in-app song detector, SongCatcher, can now identify tunes hummed, whistled, or sung by the user. According to Deezer, the new ...

View more: You Can Now Find Songs on Deezer Just by Humming

Tonga is home to 170 islands. A new one just formed from an underwater volcanic eruption

Potential first traces of the universe's earliest stars

When dangerous toxins teach fundamental biology

Every new device Amazon announced at its fall 2022 event

Scaling Ethereum? Arbitrum Co-Founder Says Projects Should Consider 3 'Critical' Points

Holiday Deals 2022: Here's Where to Get the Best Tech and Gaming Gifts from Sony, Nintendo, and More

Upgrade your home office with 74% off this refurbished MacBook Air deal

Auth0 warns that some source code repos may have been stolen

Dogs can smell when we're stressed, study suggests

Brazilian soybean growers' use of biofertilizer examined

Amazon's self-driving units coming 'sooner than people expect'

Lunar glass shows moon asteroid impacts mirrored on Earth

OTHER TECH NEWS

;