iOS Privacy: Announcing InAppBrowser.com – see what JavaScript commands get injected through an in-app browser

Last month, software developer Felix Krause seemingly exposed the existence of JavaScript commands within in-app browsers in Facebook’s, Instagram’s, and TikTok’s Apple iOS apps. Each app developer’s JavaScript file injects code when a user clicks on a link or an ad, forcing her to third-party websites through the in-app browser instead of the user’s default browser. As Krause noted, if he is on to something, app developers can use their in-app browsers to monitor user activity on third-party websites without consent. Although the App Store’s review policies do not prohibit in-app browsers from tracking user activity across third-party websites, the injection of these specific JavaScript commands to in-app browsers seems to conflict with Apple’s recent brand campaigns and its focus on user privacy, likely epitomized by Apple’s App Tracking Transparency (ATT) framework with the release of iOS 14.5 in April 2021.