A new tool has revealed exactly how and shows how apps like TikTok and Instagram can use JavaScript to view users' sensitive data. This data includes your address, password, and credit card information without your consent.
This tool can be found at In AppBrowser.com. All you need to do is open the app you want to check and share the URL In AppBrowser.com.
Don't worry if you're not used to the technical term, as the developer of the tool, Felix Krause, offers some Forever asked questions that explain exactly what youre seeing.
How does JavaScript work
Krause is a security researcher and former employee of Google who shared a detailed report in early August 2022 on how browsers in apps like Facebook, Instagram and TikTok can pose privacy risks to iOS users.
The browsers in the application are used when you click on a website on it. While these browsers are based on Safari's WebKit on iOS, developers can customize them to run their own JavaScript, allowing them to track your activity without your consent or the third-party websites you access.
This information can include information about every button or link you click, input information, and screenshot, although each application will be different in the information the application collects.
Tiktok and Meta respond
Motherboard reported that TikTok responded that The conclusion of the report on TikTok was inaccurate and misleading. Contrary to those statements, we do not collect information through this code, this code is only used for troubleshooting, troubleshooting, and performance monitoring.
In response to Krause's previous report, Meta justified the use of these custom tracking commands by stating that users had agreed to let apps like Facebook and Instagram track their data. Meta also stated that the trace data is for advertising only or for unknown "measurement purposes".
Meta's spokesperson said: "We intentionally developed this code for the purpose of tracking users on our platform. The code allows us to synthesize user data before using it for advertising or measuring goals.
Is JavaScript really "harmful" to users?
Krause admitted that his tool cannot detect all possible JavaScript commands in play, while mentioning that JavaScript is also used in legal and inherently non-malware development.
This tool cannot detect all the JavaScript commands that are being executed, nor does it display any tracking activities that the application can do using source code, he noted. However, it will alert iOS users to check their digital imprint on their favorite apps.
Krause has also created an open source tool, saying, In AppBrowser.com is designed for people to verify what the browser is doing in their application. This allows the community to update and improve this command over time.
