Instagram and Facebook are using their built-in browser to track what iOS users (iPhone and iPad) do on external websites — from form data like passwords and credit cards to every tap. Felix Krause, a former Google engineer and privacy researcher, detailed this on his blog.
Both applications have taken advantage of the fact that links in these social networks are automatically directed to web pages in an “in-app browser”, controlled by Facebook or Instagram itself, instead of being opened in the mobile browser (Chrome, Safari or another one of your choice).
In this way, Meta — the parent company of Facebook and Instagram — is also able to monitor everything we do on external websites, without the consent of the user or the website provider.
“The Instagram app injects its tracking code on every website they view, including when clicking on ads, allowing them to monitor all user interactions such as all buttons and links tapped, text selections, screenshots, as well as any form entries such as passwords, addresses, and credit card numbers,” says Krause.
It is worth mentioning that, according to the researcher, no code of this type was added to the WhatsApp browser.
How to bypass transparency?
Apple has been working against cross-host tracking since iOS 14.5 with the App Tracking Transparency transparency feature, which forces apps to ask for user permission before tracking their data in third-party apps from other companies.
“The Instagram app injects its tracking code on every website they view, including when clicking on ads, allowing them to monitor all user interactions such as all buttons and links tapped, text selections, screenshots, as well as any form entries such as passwords, addresses, and credit card numbers,” Krause said.
In a statement, Meta explained that this tracking code injection helps aggregate events — read online purchases — before they are used for targeted advertising and measurement for the Facebook platform.
“We intentionally developed this code [Peça para rastrear] to honor people’s choices on our platforms,” a spokesperson told The Guardian. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We don’t add pixels. The code is injected so we can aggregate pixel conversion events.”
how to protect yourself
Whenever you tap a link on Instagram or Facebook, choose to open it in the Safari browser, native to iPhones and iPads. It, by default, already blocks third-party cookies by default.
There is still no way to do this automatically, you have to manually redirect:
- Access the link directly on the social network;
- Tap the three dots in the upper right corner of the page that opens;
- Choose the option “Open in browser”; you will be directed to your default internet app.