Aug 26, 2022 - Technology
Column / Signal Boost

One more way apps can track your clicks

Illustration of a phone screen displaying a person peeking through blinds with binoculars.

Illustration: Megan Robinson/Axios

The browsers built into popular apps like Facebook and Twitter provide convenience for users looking to read a page — but also open them to broad privacy and security risks, as recent reports have highlighted.

The big picture: In-app browsers allow mobile users to follow links and read web pages without having to switch out of the app they're using. But it's difficult to audit who ends up with the data trails this browser activity creates — and that personal information could end up in the hands of the app maker.

How it works: Both Apple (iOS) and Google (Android) say they apply the same rules to in-app browsers that they apply to any other part of an app that they distribute in their app stores: Both companies require app makers to disclose all information they collect as part of their privacy policies.

  • Google also says it looks for data collected via in-app browser as part of its automated scans of apps submitted to the Google Play store.
  • Apple's policies also prohibit particularly egregious abuses, such as surreptitiously discovering passwords or other private data.

Driving the news: Security researcher Felix Krause published a series of findings recently — including a report on TikTok last week and an earlier look at Instagram and Facebook — suggesting that many in-app browsers contain code that gives the app owners the ability to monitor what users tap, click or type.

Between the lines: App developers have the potential to collect more user information when they make use of an in-app browser to open links — and that could lead to more hidden data collection and heightened security risks, experts tell Axios.

  • Simple modifications to in-app browsers could easily allow platforms to track when someone types, clicks on a link or taps the screen, said Nick Doty, a senior fellow focused on internet architecture at the Center for Democracy and Technology.
  • This is true of all browsers, but with in-app browsers, users typically don't realize that they've shifted into a different environment that might have different data collection practices — they might just think they're using their default mobile browser, like Safari or Chrome, Doty told Axios.

Yes, but: It's hard to say whether TikTok, Facebook or any other app developer is actually making any use of the data collected from these browsers.

  • TikTok has said the report's findings are "incorrect and misleading" and that they don't "collect keystroke or text inputs" through the code Krause identified.
  • Facebook said it developed the code in question to allow it to honor users' "do not track" preferences and still send aggregated data for the purposes of targeting ads.

Our thought bubble: The new concerns over in-app browsers highlight just how impossible it is for average users to know all the ways they're being tracked online — even if the information is disclosed in privacy policies or elsewhere.

  • Most people don't read those disclosures. And it's probably unrealistic to assume the platforms are fully aware of all the data being collected on the vast universe of apps they support.

Neither Apple nor Google commented on whether they have seen examples of in-app browsers collecting data beyond what is expected or allowed.

What's next: Google and Apple have an opportunity to play a broader role as curators of their app-store ecosystems, either by setting stricter limits or more tightly examining in-app browser data collection and use.

  • App store operators could play a bigger role in regulating apps' data collection practices before letting them into the store, said Justin Sherman, research lead at Duke University's Data Brokerage Project.
  • Another option: Websites could alert visitors who are viewing their content via an in-app browser, Doty said.
  • Users, for their part, have the option to open links in a stand-alone browser rather than using the in-app browser.

Want more stories like this? Sign up for Axios Crypto

Go deeper