Meta iOS apps accused of injecting code into websites • The Register


Meta’s Instagram and Facebook apps on iOS devices injected JavaScript code into third-party websites from their custom built-in browser, thereby accessing data that would not be available if those pages were loaded in a standalone iOS-based browser. on WebKit.

In-app browsers – implemented in native Android and iOS code using a component called WebView – allow native app users to interact with websites without leaving their apps and opening apps from stand-alone browser. To that end, iOS offers WKWebView, which is part of the WebKit framework, and the newer (and more privacy-protecting) SFSafariViewController, which is part of the SafariServices framework.

Meta’s apps rely on WKWebView, the more capable and customizable of the two options, both of which are alternatives to opening web links in the iOS version of Safari.

“This brings various risks to the user, as the host application can track every interaction with external websites, of all form inputs such as passwords and addresses, on every click,” developer Felix explained. Krause, founder of fastlane.tools, in a blog post exploring the privacy implications of Meta applications.

These risks include inconvenience, such as not having user login session data available (requiring additional authentication during transactions) and not having access to mobile browser extensions like password managers. There are also security and privacy issues that arise from any injected code – it could potentially read the content of any web page it runs in, change ad IDs, enter credentials, etc

There is no indication that the injected script (pcm.js) does. If you trust Meta, you shouldn’t worry that its script will be overhauled with more pernicious functions. Meta claims that the JavaScript code its apps add to websites helps aggregate events like online shopping for targeted ads and analytics.

“The code in question allows us to respect people’s privacy choices by helping to group events (like making an online purchase) from pixels that are already on websites, before those events are used for any purpose. advertising or measurement,” said Andy Stone, communications director at Meta. , by Twitter.

Krause, in his analysis of the code injection performed by the Instagram and Facebook iOS apps, revisited concerns he and other web developers have repeatedly voiced in recent years.

Krause actually filed a bug report with Apple about this in 2018. “Allowing apps to display third-party web content in an in-app web view (WKWebView) introduces a major security risk and privacy of iOS users,” he wrote in a submission to Apple’s Privacy Radar bug tracking system and the public Open Radar site created due to Apple’s sullen insistence on secrecy. .

Privacy, we heard about it

The problem, web developers say, is that Meta’s apps undermine web privacy expectations and browser choices made by iOS users, though those choices may be limited by the now uncertain WebKit rule. from Apple.

“In-app browsers should not be allowed to subvert a user’s browser choice,” said Open Web Advocacy, a group that challenges anti-competitive web practices. by Twitter. “Apple and Google should enforce this at the operating system level. OWA advocates for users to have control over what happens when they tap a link, regardless of the app.”

Meta insists that Krause misunderstood his webpage injection. “We intentionally developed this code to honor user choices for application tracking (ATT) transparency on our platforms,” a Meta spokesperson told The Register in an email. “The code allows us to aggregate the data before it is used for targeted advertising or measurement purposes.”

Apple’s App Tracking Transparency, a privacy feature introduced by Apple last year that requires user consent for ad-related tracking, is expected to cost Meta $10 billion in ad revenue in 2022. So you can imagine how keen Meta is to comply.

It’s also worth noting that in its eagerness to respect people’s privacy decisions, Meta’s Instagram and Facebook apps on iOS offer no way to opt out of ostensibly privacy-friendly code injection.

“The real scandal about FB’s in-app ‘browser’ isn’t the extra tracking, it’s the subversion of browser choice,” said Alex Russell, Microsoft Edge partner program manager, by Twitter. “I’m sure it’s totally a coincidence that this too has the effect of removing tracker blocking that real browsers might apply.”

The register asked the Meta spokesperson to explain how injecting code into a custom in-browser to gauge users’ tracking preferences can be considered “people-honoring [ATT] choice” when simply opening web pages in users’ preferred browser or using Apple’s SFSafariViewController would do this more efficiently.

We haven’t had a response. ®


Add Comment