InAppBrowser.com: See What JavaScript Commands Get Injected Through an in-App Browser
Felix Krause, back in September:
Last week I published a report on the risks of mobile apps
using in-app browsers. Some apps, like Instagram and Facebook,
inject JavaScript code into third party websites that cause
potential security and privacy risks to the user.I was so happy to see the article featured by major media outlets
across the globe, like TheGuardian and The
Register, generated a over a million impressions on
Twitter, and was ranked #1 on HackerNews for more
than 12 hours. After reading through the replies and DMs, I saw a
common question across the community:“How can I verify what apps do in their webviews?”
Introducing InAppBrowser.com, a simple tool to list the
JavaScript commands executed by the iOS app rendering the page.
It’s pretty creepy that TikTok both injects a JavaScript keylogger and does not have a button to open the current page in Safari.
I understand why in-app browsers are a thing on iOS (and iPadOS) but not on MacOS, but when you really think about it, it’s quite strange, and a vestige of the past when multitasking on iOS was so much more limited. Whenever possible, open links in Safari (or whatever your default browser is).
