📱 2022-08-12 23:03:00 – Paris/France.
Meta's Instagram and Facebook apps on iOS devices injected JavaScript code into third-party websites from their custom built-in browser, thereby accessing data that would not be available if those pages were loaded in a standalone iOS-based browser. on WebKit.
In-app browsers – implemented in native Android and iOS code using a component called WebView – allow native app users to interact with websites without leaving their apps and opening apps from stand-alone browser. To that end, iOS offers WKWebView, which is part of the WebKit framework, and the newer (and more privacy-protecting) SFSafariViewController, which is part of the SafariServices framework.
Meta's apps rely on WKWebView, the more capable and customizable of the two options, both of which are alternatives to opening web links in the iOS version of Safari.
"This poses various risks to the user, as the host application can track every interaction with external websites, of all form inputs such as passwords and addresses, with every click," explained developer Felix. Krause, founder of fastlane.tools, in a blog post exploring the privacy implications of Meta applications.
These risks include inconvenience, such as not having user login session data available (requiring additional authentication during transactions) and not having access to mobile browser extensions like password managers. There are also security and privacy concerns that arise from any injected code – it could potentially read the content of any web page it runs in, change ad IDs, enter credentials, etc
There is no indication that the injected script (pcm.js) does. If you trust Meta, you shouldn't worry that its script will be overhauled with more pernicious functions. Meta claims that the JavaScript code its apps add to websites helps aggregate events like online shopping for targeted ads and analytics.
"The code in question allows us to respect people's privacy choices by helping to group events (like making an online purchase) from pixels that are already on websites, before those events are used for any purpose. advertising or measurement,” said Andy Stone, director of communications at Meta. , via Twitter.
Krause, in his analysis of the code injection performed by the Instagram and Facebook iOS apps, revisited concerns he and other web developers have repeatedly voiced in recent years.
Krause actually filed a bug report with Apple about this in 2018. "Allowing apps to display third-party web content in an in-app web view (WKWebView) introduces a major security risk and privacy of iOS users," he wrote in a submission to Apple's Privacy Radar bug tracking system and public site Open Radar created due to Apple's sullen insistence on secrecy. .
Privacy, we heard about it
The problem, web developers say, is that Meta's apps undermine web privacy expectations and browser choices made by iOS users, though those choices may be limited by the now uncertain WebKit rule. from Apple.
"In-app browsers should not be allowed to subvert a user's browser choice," Open Web Advocacy, a group that challenges anti-competitive web practices, said via Twitter. “Apple and Google should enforce this at the operating system level. OWA advocates for users to have control over what happens when they tap a link, regardless of the app. »
Meta insists that Krause misunderstood his web page injection. "We intentionally developed this code to honor users' choices for application tracking (ATT) transparency on our platforms," a spokesperson for Meta told The Register in an email. “The code allows us to aggregate the data before it is used for targeted advertising or measurement purposes. »
Apple's App Tracking Transparency, a privacy feature introduced by Apple last year that requires user consent for ad-related tracking, is expected to cost Meta $10 billion in ad revenue in 2022. So you can imagine how keen Meta is to comply.
It's also worth noting that in its eagerness to respect people's privacy decisions, Meta's Instagram and Facebook apps on iOS offer no way to opt out of ostensibly privacy-friendly code injection.
"The real scandal about FB's In-App 'browser' isn't the extra tracking, it's the subversion of browser choice," Microsoft Edge partner program manager Alex Russell said via Twitter. "I'm sure it's totally a coincidence that this also has the effect of removing the blocking of trackers that real browsers might apply. »
The register asked Meta's spokesperson to explain how injecting code into a custom in-browser to evaluate users' tracking preferences can be seen as "honouring people [ATT] choices" when simply opening web pages in users' preferred browser or using Apple's SFSafariViewController would do this more efficiently.
We haven't had a response. ®
SOURCE: Reviews News
Do not hesitate to share our article on social networks to give us a solid boost. 🤗