The companies that own the offending applications benefit from this in several ways. First, because everything happens entirely behind the scenes, without most users suspecting any of that. Second, because the in-app browsers do not support content blockers or reveal privacy information when used.
Most companies use in-app browsers and code injections for tracking and monetization purposes, but some may use code to monitor all user activity, including all keystrokes.
Felix Krause created the website InAppBrowser, which is designed to reveal to the user if an in-app browser is injecting code.
Here is how it works:
- Open the application that you want to analyze.
- Use share functionality inside the application to get the link https://InAppBrowser.com into the app. You may DM a contact or post publicly.
- Open the link that has just been shared or posted.
- Check the report that is displayed.
- Adds CSS code, allows app to customize appearance of website.
- Monitors all taps happening on websites, including taps on all buttons & links.
- Monitors all keyboard inputs on websites.
- Gets the website title.
- Gets information about an element based on coordinates, which can be used to track which elements the user clicks on.
You can check out the blog post, which offers additional details.
Protection against invasive in-browser apps
Mobile app users have just a few options. Besides the obvious, removing the app from the device, they may be able to redirect links to other browsers on the device. Not all apps support that though. The use of DNS-based content blockers may not help as much either, at least not against the potential reading of keystrokes or other activities unrelated to the display of ads or tracking.
Now You: Do you use apps with in-app browsers?Advertisement