The potential of these injections includes accessing browsing history, logging behavior characteristics to derive interests, log taps and key presses, monitoring screenshot actions, and even capturing passwords you enter into login forms.
The revelations shook the communities of popular apps that feature embedded browsers, so to help users determine the behavior of their app’s activity, Krause released the ‘InAppBrowser’ online tool and open-sourced its source code.
How to use InAppBrowser
To find if an app demonstrates potentially suspicious behavior, open the tool’s website (inappbrowser.com) through the app’s built-in browser.
For social media apps, post the link to https://InAppBrowser.com publicly and try to open it with the in-app browser. For messenger apps, send the link to yourself via DM and open it through the app’s browser.
Clean test results when using Robinhood’s in-app browser Source: krausefx.com
Similarly, reports of code injection don’t necessarily mean that the app is performing tracking activities but merely that the potential for abuse is present.
“There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.”
Further tests by BleepingComputer also showed that you could use the tool to find risky code injections created by extensions in desktop browsers.
When testing the tool with Chrome extensions installed, like the Phantom or Metamask cryptocurrency wallets, the InAppBrowser site detected various privacy-related code injections, shown below.
Desktop injections caused by Chrome cryptocurrency wallets Source: BleepingComputer
The last alert in red in the image above was caused by the Phantom extension and not by MetaMask.
As the tool was not designed to analyze browser extensions, BleepingComputer reached out to Krause to learn if these results were reliable.
Findings and dispute
The researcher claims to have found risky behavior on TikTok, Instagram, Facebook, and Messenger, while Snapchat and Robinhood came out clean in the tests.
Test results on various apps Source: krausefx.com
For TikTok in particular, Krause found scripts that monitor keyboard input and screen taps. While there is no indication that TikTok abuses this ability, the researcher warns that it could be abused to gather sensitive information like passwords and credit card inputs.
TikTok’s test results on InAppBrowser Source: krausefx.com
A TikTok spokesperson shared the following statement with Bleeping Computer stating that they do not use these scripts to collect keystroke or text inputs.
“The report’s conclusions about TikTok are incorrect and misleading.
Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.” – TikTok.
Hence, TikTok admits that the code is there but underscores that it’s used solely to improve the user experience, not to track or breach users’ privacy.
Additionally, TikTok told Bleeping Computer that it does not track users everywhere they go on the web, but the company may receive limited data from advertisers about what its users do on third-party apps and websites for providing effective advertising solutions.
Bleeping Computer has also requested a comment from Facebook/Meta on the reported findings, but we have not received a response yet.
Keyword: New tool checks if in-app mobile browsers inject risky code on sites>