A new analysis of the Instagram app has suggested that every time a user clicks a link within the app, Instagram is capable of monitoring all of their interactions, text selections, and even text input, such as passwords and private credit card details within websites inside the app.
The analysis conducted by Felix Krause found that both Instagram and Facebook on iOS use their own in-app browser, rather than the one offered by Apple for third-party apps. Most apps use Apple’s Safari for loading websites, but Instagram and Facebook have been using their own in-app browser to load websites within the app.
With their custom-built browser, still based on WebKit, Instagram and Facebook inject a tracking JavaScript code named “Meta Pixel” into all links and websites shown. With that code, Meta has total freedom to track users’ interactions without their explicit consent, Krause finds.
This allows Instagram to monitor everything happening on external websites without the consent from the user, nor the website provider.
The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.
As Krause points out, it takes reasonable effort for companies like Meta to develop and maintain their own in-app browser rather than to use Apple’s built-in Safari. On its developer portal, Meta claims “Meta Pixel” is designed to “track visitor activity on your website” by monitoring all events a user does within their custom-built browser. There is no evidence that Meta, which owns Instagram, has actively gathered the user data it’s capable of collecting. As Krause writes:
Does Facebook actually steal my passwords, address and credit card numbers? No! I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it’s possible for a company to get access to data for free, without asking the user for permission, they will track it.
However, this practice is in violation of Apple’s App Tracking Transparency (ATT) policy. ATT requires that all apps ask for user consent before tracking them across apps and websites owned by other companies.
Meta has repeatedly pushed back against Apple’s goal of giving users a choice on whether or not they wish to be tracked. In December 2020, Meta took out a full-page newspaper ad attacking Apple for the change. Krause says he shared his findings with Meta, which responded by saying they’ve confirmed the “issue” but have not responded since. Krause says he gave Meta a two-week notice before deciding to go public with his findings.