Are TikTok, Instagram, and Facebook tracking everything you search for?
Privacy Corner:
Beware of In-App Browsers!
TikTok, Instagram, and Facebook can track anything you do on any website in their in-app browser, says Felix Krause, founder of fastlane.tools. Two of his blog posts went viral this month, showing how these companies inject code into their iOS in-app browsers that could be used for key-logging.
An in-app browser is a way to browse the web from within a particular app, instead of via your default browser. If you click on a link inside Instagram or Facebook, for example, you’ll likely get a message that asks whether you want to keep using the app, or use a different browser to open it. If you keep using the app, you’re using the app’s browser instead of your browser of choice. If you click on a link inside TikTok, you won’t get an option, you’ll be taken to the website you seek from within TikTok’s in-app browser by default.
Krause warns users that using an in-app browser can compromise their privacy and security:
“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data. … We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”
Krause’s discoveries led him to also release a tool - InAppBrowser.com - that allows users to explore the secrets that lie within the javascript of in-app browsers.
(Note: This tool can’t detect all JavaScript commands executed, and doesn’t show any tracking the app might do using native code. But it does clearly demonstrate the potential dangers of in-app browsers.)
Maureen Shanahan, a spokesperson from TikTok, responded to the findings by calling them “incorrect and misleading”, saying:
“Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”
Meta-owned apps — Facebook, Instagram, and Messenger — also use similar code. Meta spokesperson, Alisha Swinteck, responded that it is common to find in-app browsers “across the industry,” and assured users:
“We have carefully designed these experiences to respect users' privacy choices, including how data may be used for ads."
A good rule of thumb is to always use your privacy-preserving browser of choice when using the internet, and don’t opt to use in-app browsers. Most apps (besides TikTok) will offer you the option when clicking an external link.
For more details, here are his 2 articles:
iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser
You Need a Password Manager
Do you reuse passwords? Or tweak them slightly by changing just a couple of letters?
You need to stop doing this immediately, and use a password manager instead.
Data breaches happen all the time, where usernames and passwords, or a scrambled version of your password (called a hash) are leaked on the dark web. At least one account that you own has almost surely been compromised in this way. If you reuse passwords, you have put all of your accounts at risk.
Here’s how to better protect your passwords:
Step 1:
Use a unique password for every account you own
“How am I meant to remember 100s of different passwords?”, we hear you ask.
Step 2:
Use a password manager to store your passwords so that you don’t have to remember them
A password manager is a tool that creates and stores passwords for you in an encrypted database.
Step 3:
Use a password manager to randomly generate new passwords for you
We tend to pick passwords that are easy to remember, or easy to guess because they include personally significant words or numbers. Even if you are trying to create a random password, it turns out humans are bad at typing randomly even when we try really hard to do so. The password manager will create a long, unique, random passwords for every website you access.
Step 4:
Choose a reputable password manager, and secure your password vault with 2FA
When choosing a password manager, go with one that has been well vetted, ideally open source or one with third party audits. Be sure to add 2-factor-authentication to your password vault to further secure it, and using a security key like YubiKey is the best way to do this.
“Why would I want to put all my eggs in one basket?”
Using a password manager is putting all your eggs in one basket, but it’s a really secure basket, and far more secure than reusing passwords or using super simple passwords. A good password manager will encrypt on your device, meaning that whichever service is storing your password vault never gets access to those passwords. You can also choose to store your encrypted password vault yourself.
Using a password manager is one of the most important things you can do online, and a great way for the average person to dramatically increase their online security. We highly recommend you make this the next step in reclaiming more control over your digital life.
For a more detailed explanation be sure to check out NBTV’s video on Password Managers!