Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals

Instagram and Facebook Could Track Everything You Do in Their In-App Browsers

Avoid Instagram browser tracking

In the latest update to all the ways that Meta (previously Facebook) works to track users, security researcher Felix Krause has discovered that the Instagram and Facebook iOS apps inject custom JavaScript code into every website using their custom in-app browser. That code, according to Meta, helps aggregate events like online purchases before the Facebook platform uses those events for targeted advertising and measurement.

That may or may not cross your line for unnecessary tracking, but Krause’s broader point is that such custom scripts could monitor your every interaction on third-party websites, including form inputs like passwords and credit card numbers, so you have to decide what you trust Meta to do in the future. You can sidestep this privacy vulnerability by tapping the ••• button at the top right and selecting Open in Browser, accessing the Instagram and Facebook websites in Safari instead of their iOS apps, or opting out of Meta’s exploitative business model entirely.


Read original article

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Instagram and Facebook Could Track Everything You Do in Their In-App Browsers

Notable Replies

  1. I think I solved this and all Facebook and Instagram issues by deleting my accounts on both if them! Am I corrrect?

  2. My understanding is yes and no - yes in the sense that Facebook/Instagram cannot track us directly once the accounts are deleted, and no because the companies can still track us using other techniques such as fingerprinting. Fingerprinting refers to device configuration and other attributes that, when used in combination, can identify individual users. These attributes may include:

    • Browser configuration
    • IP address
    • Language and regional settings
    • Screen resolution
    • Operating system

    Some examples of fingerprinting techniques are available at:

    In addition, while we may not use social media directly, we may interact with other individuals who use social media. Information/metadata about such interaction may be available to the social media companies. This may also allow social media companies to construct our detailed profile, even though we do not have an ‘identity’ on their platforms.

  3. Thanks for your reply.

    Would any of these ideas make their tracking less than accurate?

    • Browser configuration Use different browsers? Change configurations?

    • IP address Use a VPN

    • Language and regional settings Change those regional settings

    • Screen resolution Use different devices

    • Operating system Use different systems

  4. I believe so, I usually think of the strategy as involving ‘reliance on large numbers’, ‘spoofing’ and ‘denial’.

    The ‘large numbers’ techniques make the attributes look ‘generic’/common, so it becomes harder to construct an accurate fingerprint. For example, I imagine millions of people use Windows + Chrome, so it is harder to identify specifically someone from a pool of Windows + Chrome users, all else being equal.

    The ‘spoofing’ techniques basically hide the real attributes using means such as VPN or a different user agent profile. Using a VPN and IP of another country not only changes the IP address, but other attributes such as timezone which can further reduce the accuracy of fingerprinting. Using different operating systems can be done using virtual machines. Tools such as Hide My Email help to… hide email addresses and make it harder for profilers to reconcile the addresses.

    ‘Denial’ is the straightforward approach of saying no - no cookies, use private browsing, not consenting to tracking, not running Javascript or loading other web objects if necessary, etc.

  5. Thanks for confirming that I have been heading in the right direction. All I want from the Internet is email and useful information about Health, Science etc. I refuse to be bombarded by advertising from every angle as well. If I want or need something I will look for it on my own. I will do the required price comparison etc. No amount of advertising can influence me. Why? The tactics of advertising have backfired on advertisers. I am skeptical of their claims and more than reluctant to do business with them or make purchases from them. In short, there have been too many false claims, deceptive methods and outright LIES! :-(

  6. Another option to avoid this behavior: use the Meta products only in Safari, delete the apps. Save the link to one of the home screens for faster access. This could also be done for other social networks like Linkedin and Twitter.

  7. Yes, which is one reason why it’s a good idea to run an ad blocker in your web browser. I use AdBlock Plus on my devices. Although its configurability for Safari is a bit limited, it is very robust on Firefox, which I use for most of my browsing. There are quite a lot of optional filter lists available for it. I subscribe to eight:

    • EasyList. A robust set of filter rules that can be used with several different ad-blocking software systems.
    • EasyPrivacy. From the EasyList people, designed to block trackers.
    • Fanboy’s Annoyance List. Blocks social media content, popup messages, messages about cookie usage, GDPR warnings and other annoying content.
    • Combibed Privacy Block Lists. Blocking malicious and harmfully deceptive content including advertising, tracking, telemetry, scam and malware servers.
    • NoCoin. Designed to block browser-based crypto mining. Where a web site (or an ad on a web site) runs scripts to mine cryptocurrency on your computer.
    • Spam 404. Blocking scam and malware sites.
    • An “anti-circumvention” list, that tries to block and remove content intended to get around ad-blocking software.
    • A “warning removal” list, that tries to remove those annoying “please turn off your ad blocker” popup messages.

    These filters, in conjunction with Firefox’s Enhanced Tracking Protection can go a long way to protect your privacy.

    Of course, nothing’s perfect. I have these features disabled for certain web sites where they get in the way, or where I want to view ads in order to support the site. And of course, any site can track what you do when you are logged into their site (it’s impossible to block first-party tracking without rendering most sites completely useless).

    Perfect protection is impossible without completely disconnecting from the Internet, but I think you can get “very good” protection doing something like what I’m doing.

  8. One question that comes to my mind is why in-app browsers are still a thing? Yes, I understand it makes things seamless, with no jumping back and forth between apps, but that seems to come at the expense (to the user) of giving developers power to pull stuff like this without the user’s knowledge. Perhaps it’s time for Apple to yank it out of iOS / iPadOS, or restrict what it can do and when it can be used?

  9. A big second to David C’s approach. I don’t have any Facebook or Instagram apps on my iOS stuff because I don’t trust Meta not to be doing horrible things behind the scenes. Using Safari (with ad blockers and privacy settings turned on high) hopefully limits it as much as possible and, more importantly, brings Apple’s weight to bear. They’re much better at dealing with behind the scenes sneakiness than I’ll ever be.

    I don’t think there’s a solution that will work perfectly – not even not being on FB. There’s just too many ways for them to access your behavior. But reducing that collection is still valuable.

  10. Wanna make sure I got this correct… clicking on links (Chrome) on my desktop does not involve any “in-app browser,” correct?" So we are talking iOS. Always thought the “in-app” browser was just they’re tapping into webkit with the “browser coming from webkit itself,” guess not. I DO have a VPN on my mobile devices (came with my password manager), guess using that goes a real long way for them to not track “me” or get any of my sensitive data in any way, right?

  11. Wouldn’t a service like with it’s privacy settings mitigate this security/privacy issue?

  12. Not really. Because the browser is part of an app, that app has access to, and can report, everything you visit, no matter what you do with the packets after they leave your device (e.g. secure DNS, VPN, etc.)

    This is the case with any in-app browser. If you don’t trust the publisher of the app with your privacy (and I don’t think any social media company should be trusted), then you can’t trust a browser that runs as a part of that app.

    If the app is implementing the in-app browser by using Apple’s Safari/WebKit widget, then there is a little protection against truly malicious scripting, but by its nature, the app that embeds the widget always has access to every URL you visit, so none should be considered secure with respect to privacy.

Join the discussion in the TidBITS Discourse forum


Avatar for ace Avatar for silbey Avatar for milucmedia Avatar for nello Avatar for chengengaun Avatar for AlanRalph Avatar for tidbits41 Avatar for pbinderup Avatar for brownrm31 Avatar for Shamino