Photo: DenPhotos (Shutterstock)
Both Apple and Google are doing great work to prevent multi-site tracking. Google Chrome is slowly phasing out cookies, and Apple goes the furthest by asking users to block multi-app/multi-site tracking using their app transparency popups.
Custom in-app browsers are out of their reach, though. Such browsers are annoying by default, as they won’t have the history, usernames, passwords, or sharing options from your default browsers. But while they are most commonly found in apps like Facebook and Instagram, they aren’t limited to the big two Meta apps.
Because the app developers themselves code in-app browsers, they have a lot more freedom as to what goes on in there. A recent study by Fastlane developer Felix Krause showed that Facebook and Instagram can basically track anything they want when you’re using their in-app browser, which they use to open all ads and links by default.
How does in-app browser tracking work?
JavaScript injection. The study uses Instagram as an example. Instagram injects Meta’s Meta Pixel JavaScript tracking code into every website that you open. It’s a library designed for website developers to track visitors on their site. Meta is injecting it on every site, without asking the website, and collecting the data for themselves.
G/O Media may get a commission
When you open a link in Instagram, the app injects JavaScript code (Meta Pixel) that helps the app view and record all kinds of stuff. They can record what you tapped on, what image you opened, how long you spent on a page, and more. Instagram then uses this information to serve you more ads and to build an even clearer picture of your identity.
Technically, an in-app browser can even record personal information like passwords and credit card information as you’re entering it in the text field, but the study doesn’t show that Meta is doing anything that nefarious. It’s important to note, though, that a random app with its own built-in web browser does have the ability.
What can you do about in-app browser tracking?
First, whenever you open a link in Instagram, Facebook, or any other app with an in-app browser, get the hell out of there. The app has already recorded that you opened the link and there isn’t a lot that you can do about that, but you can stop the tracking there. Instagram has an option to open the website in the default browser, hidden behind the Menu button.
Another option is to stop using the app itself. Switch to the web app version and you won’t have to deal with this problem. And if we’re talking about Instagram, you’ll actually get a nicer and calmer, Reels-free experience.
That’s about all that you can do. For website developers, Felix suggests a string of code that will fool Instagram into thinking that their code is already installed on the site. He also has suggestions on what Apple can do to prevent such kind of abuse in the future. If you’re curious about how he figured all of this out (it makes for a great read), take a look here: Felix Krause/9to5Mac.