This website tells you which private information apps might be tracking


Did you know that you are potentially being tracked when you load an in-app browser on iOS? A new tool reveals exactly how, showing how apps like TikTok and Instagram can potentially use JavaScript to display sensitive data, including your address, passwords and credit card information, without your consent.

The tool can be found on All you have to do is open the app you want to check out and share the URL somewhere in it, such as sending the link to a friend or posting it in a comment . From there, you can tap the link and get a report from the website about the scripts running in the background.

Don’t be intimidated if you’re unfamiliar with the technical jargon, as the tool’s developer, Felix Krause, provides FAQs that explain exactly what you’re seeing. In response to questions about how best to protect yourself, Krause says, “Whenever you open a link from any app, see if the app offers a way to open the website currently displayed in your browser by During this analysis, every app besides TikTok offered a way to do this.

TikTok responded to the site in a statement, provided earlier to Motherboard and now on Twitter, saying, “The report’s findings on TikTok are incorrect and misleading. Contrary to its claims, we do not collect typing or text input through this code, which is only used for debugging, troubleshooting, and performance monitoring.

Krause is a security researcher and former Google employee who earlier this month shared a detailed report on how browsers in apps like Facebook, Instagram and TikTok can pose a privacy risk to Google users. iOS.

In-app browsers are used when you tap a URL in an app. Although these browsers are based on Safari’s WebKit on iOS, developers can tune them to run their own JavaScript code, allowing them to track your activity without your consent or that of third-party websites you visit.

Applications can inject their JavaScript code into websites, allowing them to monitor how the user interacts with the application. This can include information about each button or link you press, keystrokes, and whether screenshots were taken, although each app varies in the information it collects.

In response to Krause’s earlier report, Meta justified the use of these custom tracking scripts by claiming that users already consent to apps like Facebook and Instagram tracking their data. Meta also claims that the data collected is only used for targeted advertising or unspecified “measurement purposes”.

“We intentionally developed this code to honor the [Ask to track] choice on our platforms,” a spokesperson for Meta said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes.”

They added: “For purchases made through the in-app browser, we ask for user consent to save payment information for autofill purposes.”

The tool developed by Krause is not infallible. He admits that he cannot detect all possible JavaScript commands running and mentions that JavaScript is also used in legitimate development and is not inherently malicious. He notes: “This tool cannot detect all executed JavaScript commands, and does not show any tracking that the application might be doing using native code (such as custom gesture recognitions).” Nonetheless, it offers iOS users a user-friendly way to check their digital footprint in their favorite apps.

Krause has also made the tool open source, saying, “ is designed so that anyone can see for themselves what apps are doing in their built-in browsers. I decided to open the code used for this analysis, you can check it on GitHub. This allows the community to update and improve this script over time. You can find out more on its website.

Updated August 19, 3:34 p.m. ET: Added TikTok’s answer.

Source link


Comments are closed.