See What JavaScript Commands Get Injected Through an in-App Browser

Felix Krause, back in September:

Last week I published a report on the risks of mobile apps using in-app browsers. Some apps, like Instagram and Facebook, inject JavaScript code into third party websites that cause potential security and privacy risks to the user.

I was so happy to see the article featured by major media outlets across the globe, like TheGuardian and The Register, generated a over a million impressions on Twitter, and was ranked #1 on HackerNews for more than 12 hours. After reading through the replies and DMs, I saw a common question across the community:

“How can I verify what apps do in their webviews?”

Introducing, a simple tool to list the JavaScript commands executed by the iOS app rendering the page.

It’s pretty creepy that TikTok both injects a JavaScript keylogger and does not have a button to open the current page in Safari.

I understand why in-app browsers are a thing on iOS (and iPadOS) but not on MacOS, but when you really think about it, it’s quite strange, and a vestige of the past when multitasking on iOS was so much more limited. Whenever possible, open links in Safari (or whatever your default browser is).

Thursday, 3 November 2022