new tool checks if in-app mobile browsers inject risky code on sites

A new online tool named ‘InAppBrowser’ lets you analyze the behavior of in-app browsers embedded within mobile apps and determine if they inject privacy-threatening JavaScript into websites you visit.

The tool was created by developer Felix Krause who warned of this potentially risky behavior earlier in the month, explaining how easy it would be for in-app browsers to track anything the users see and do online by injecting JavaScript trackers on every web page they visit.

The potential of these injections includes accessing browsing history, logging behavior characteristics to derive interests, log taps and key presses, monitoring screenshot actions, and even capturing passwords you enter into login forms.

The revelations shook the communities of popular apps that feature embedded browsers, so to help users determine the behavior of their app’s activity, Krause released the ‘InAppBrowser’ online tool and open-sourced its source code.

How to use InAppBrowser

To find if an app demonstrates potentially suspicious behavior, open the tool’s website (inappbrowser.com) through the app’s built-in browser.

For social media apps, post the link to https://InAppBrowser.com publicly and try to open it with the in-app browser. For messenger apps, send the link to yourself via DM and open it through the app’s browser.

These simple steps are enough to generate a report on JavaScript injections added to the websites by the app’s browser. However, it is essential to clarify that reports of no detections don’t mean that code injection can be excluded with certainty.

new tool checks if in-app mobile browsers inject risky code on sites

Clean test results when using Robinhood’s in-app browser Source: krausefx.com

“This tool can’t detect all JavaScript commands executed, as well as doesn’t show any tracking the app might do using native code (like custom gesture recognizers),” explains Krause in his writeup.

Similarly, reports of code injection don’t necessarily mean that the app is performing tracking activities but merely that the potential for abuse is present.

“Just because an app injects JavaScript into external websites doesn’t mean the app is doing anything malicious.” clarifies the report.

“There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.”

Further tests by BleepingComputer also showed that you could use the tool to find risky code injections created by extensions in desktop browsers.

When testing the tool with Chrome extensions installed, like the Phantom or Metamask cryptocurrency wallets, the InAppBrowser site detected various privacy-related code injections, shown below.

new tool checks if in-app mobile browsers inject risky code on sites

Desktop injections caused by Chrome cryptocurrency wallets Source: BleepingComputer

The last alert in red in the image above was caused by the Phantom extension and not by MetaMask.

Furthermore, browser extensions work by injecting JavaScript into websites you visit, so detections for many extensions would not be unusual. However, our tests showed that many extensions did not generate any warnings with the tool.

As the tool was not designed to analyze browser extensions, BleepingComputer reached out to Krause to learn if these results were reliable.

Findings and dispute

The researcher claims to have found risky behavior on TikTok, Instagram, Facebook, and Messenger, while Snapchat and Robinhood came out clean in the tests.

new tool checks if in-app mobile browsers inject risky code on sites

Test results on various apps Source: krausefx.com

For TikTok in particular, Krause found scripts that monitor keyboard input and screen taps. While there is no indication that TikTok abuses this ability, the researcher warns that it could be abused to gather sensitive information like passwords and credit card inputs.

new tool checks if in-app mobile browsers inject risky code on sites

TikTok’s test results on InAppBrowser Source: krausefx.com

A TikTok spokesperson shared the following statement with Bleeping Computer stating that they do not use these scripts to collect keystroke or text inputs.

“The report’s conclusions about TikTok are incorrect and misleading.

The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects.

Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.” – TikTok.

Hence, TikTok admits that the code is there but underscores that it’s used solely to improve the user experience, not to track or breach users’ privacy.

Additionally, TikTok told Bleeping Computer that it does not track users everywhere they go on the web, but the company may receive limited data from advertisers about what its users do on third-party apps and websites for providing effective advertising solutions.

Bleeping Computer has also requested a comment from Facebook/Meta on the reported findings, but we have not received a response yet.

Keyword: New tool checks if in-app mobile browsers inject risky code on sites

TECH'S NEWS RELATED

Strictly Limited Games announces Snow Battle Princess Sayuki physical edition

The Germany-based Strictly Limited Games has announced that its next physical release will be for Snow Battle Princess Sayuki, a spiritual successor to the iconic Pocky and Rocky series that originally launched for the Wii back in 2007 before getting a digital Switch port in 2019. If you’re familiar with ...

View more: Strictly Limited Games announces Snow Battle Princess Sayuki physical edition

You Can Now Find Songs on Deezer Just by Humming

Diego Thomazini/Shutterstock.com Music streaming platform Deezer just made it a lot easier to find songs you don’t know the name of. In a blog post, the company announced its in-app song detector, SongCatcher, can now identify tunes hummed, whistled, or sung by the user. According to Deezer, the new ...

View more: You Can Now Find Songs on Deezer Just by Humming

Tonga is home to 170 islands. A new one just formed from an underwater volcanic eruption

Nuku’alofa, Tonga. Credit: Unsplash/CC0 Public Domain The Pacific nation of Tonga is made up of 170 islands, but it just welcomed its newest addition—thanks to an underwater volcano. Near the center of the nation’s island formation lies the Home Reef volcano in the South Pacific. On Sept. 10, the ...

View more: Tonga is home to 170 islands. A new one just formed from an underwater volcanic eruption

Potential first traces of the universe's earliest stars

Massive, Population III Star in the Early Universe. This artist’s impression shows a field of Population III stars as they would have appeared a mere 100 million years after the Big Bang. Astronomers may have discovered the first signs of their ancient chemical remains in the clouds surrounding one ...

View more: Potential first traces of the universe's earliest stars

When dangerous toxins teach fundamental biology

Graphical abstract. Credit: Developmental Cell (2022). DOI: 10.1016/j.devcel.2022.09.004 “What our work shows is how a complex in the center of the cell, the ER-Golgi interaction region, controls plasma membrane cholesterol, which is essential for many cellular functions, if not essential for multicellular life,” says Professor Gisou van der Goot ...

View more: When dangerous toxins teach fundamental biology

Every new device Amazon announced at its fall 2022 event

Amazon’s 2022 fall event hardware roundup Kindle Scribe Halo Rise Updated Echo lineup Ring Spotlight Cam Pro and Plus Blink Wired Floodlight Camera Blink Mini Pan Tilt eero PoE 6 and eero PoE Gateway Fire TV Cube Alexa Voice Remote Pro Fire TV Omni QLED Series Amazon hosted its ...

View more: Every new device Amazon announced at its fall 2022 event

Scaling Ethereum? Arbitrum Co-Founder Says Projects Should Consider 3 'Critical' Points

As competition grows to make Ethereum faster and more scalable, Offchain Labs CEO Stephen Goldfeder offers a bit of advice.

View more: Scaling Ethereum? Arbitrum Co-Founder Says Projects Should Consider 3 'Critical' Points

Holiday Deals 2022: Here's Where to Get the Best Tech and Gaming Gifts from Sony, Nintendo, and More

Where to Find the Best Deals Best Buy As the holiday season approaches, knowing where to find the best deals on tech and gaming products is critical. Whether it’s to fulfill your personal Christmas wishlist or to give as gifts to loved ones, you don’t want your budget to ...

View more: Holiday Deals 2022: Here's Where to Get the Best Tech and Gaming Gifts from Sony, Nintendo, and More

Upgrade your home office with 74% off this refurbished MacBook Air deal

Auth0 warns that some source code repos may have been stolen

Dogs can smell when we're stressed, study suggests

Brazilian soybean growers' use of biofertilizer examined

Amazon's self-driving units coming 'sooner than people expect'

Lunar glass shows moon asteroid impacts mirrored on Earth

Cloudflare goes all in on Apple CAPTCHA alternative

Amazon Kindle Scribe Unveiled: This Jumbo E-Reader Comes With a Stylus

Amazon Fire TV Cube: All the New 3rd-Gen Tricks, from 4K Upscaling to Voice Control

Dall-E Opens Its AI Art Creation Tool to Everyone

The first 6GHz processor is coming early next year

Multiple-doped hierarchical porous carbons for superior zinc ion storage

OTHER TECH NEWS

;