.png "back to home page")
You can turn this off on both Facebook and Twitter. On Facebook, tap the hamburger menu, then tap Settings, then Media (yeah, it's sneakily hidden). Down at the bottom of the next page, tick Links open externally. pic.twitter.com/dBJU9wFnPy
— Kate Bevan 🇺🇦 (@katebevan) August 10, 2022
Crafty yet sleazy behavior from Meta, here. Should push links to Safari all the time to avoid this. https://t.co/Il87NSxU8M
— Aulia Masna (@aulia) August 11, 2022
Google has known for years that WebView IABs are bad for users, bad for privacy, and bad for the web.
— Alex Russell (@slightlylate) August 11, 2022
Apple knew about these loopholes when they launched about ATT.
The thing is, they don't care as long as they rinse users through App Stores.https://t.co/D5qqhc36UX https://t.co/RE8XPiBFWg
This is a really interesting writeup from @KrauseFx on how the Instagram app subjects users to pervasive tracking and circumvents the privacy protections recently rolled out in iOS.https://t.co/NrmOwzeCGK
— Bill Fitzgerald (he/him) (@funnymonkey) August 11, 2022
A few notes/observations
1/x
In case you needed a reminder about why we care so much about OAuth/OIDC flows being used in the system browser and not embedded browsers, Instagram injects their own tracking code in every web page you visit inside Instagram https://t.co/eZOfEaKjjQ
— Aaron Parecki (@aaronpk) August 10, 2022
I actually can't believe they screwed this up and injected the malware as js into the loaded site where it could be observed introspectively, rather than just doing the spying from the native code in the browser that site js can't see. I'd assumed they'd done the latter. https://t.co/awZMDvdT0w
— Rich Felker (@RichFelker) August 11, 2022
If it weren’t for antitrust regulators breathing down their necks I’d be worried that Apple was going to ban the use of WKWebView for browsing and limit in-app browsers to Safari, which would kill my Web Reader feature. (They may mandate some kind of warning alert though) https://t.co/eKam6nNH9L
— Michael Love (@elkmovie) August 11, 2022
If you want an inkling of the reason I'm so upset about "in app browsers", here's someone else noticing what I've been wittering on about:https://t.co/vTWu1Dc1qG
— Alex Russell (@slightlylate) August 10, 2022
I have long wondered why, when I click a Twitter link on my iPhone, it opens inside Twitter instead of in a normal browser. Now I know. The answer is evil: https://t.co/gK7CVxeTV4
— Dan Froomkin/PressWatchers.org (@froomkin) August 10, 2022
This is appalling behavior by Instagram and Facebook. It's time to do something about it. https://t.co/ROYWtM2K39
— Adrian Holovaty (@adrianholovaty) August 10, 2022
If there's anything Facebook has taught me, it's that no matter what you do, you'll get away with it. Time and time again. https://t.co/f5EKjdvJn6
— Hadi Hariri (@hhariri) August 11, 2022
If you click a link in your Instagram or Facebook app, Meta (Facebook) actually modifies the pages you’re reading so that it can track every single thing you do on those sites. https://t.co/MfRYwADjDS
— Anil (@anildash) August 11, 2022
This is more complicated than it looks - all browsers on iOS but Safari are based on WebView. On Android, at least Opera Mini and DuckDuckGo are built on top of WebView. Implementing X-Frame-Options on the WebView level would make those browsers unviable. https://t.co/4XKPP43gj7
— André Bandarra (@andreban) August 11, 2022
At least on iOS, you can't turn this off for Instagram. Also, Twitter for iOS does NOT track your, they use the recommended SFSafariViewController, which runs in a separate process
— Felix Krause (@KrauseFx) August 10, 2022
“The more I think about it, the more I cannot believe webviews with unfettered JavaScript access to third-party websites ever became a legitimate, accepted technology. It’s bad for users, and it’s bad for websites.” https://t.co/mQ9g02sSZl
— David Barnard (@drbarnard) August 11, 2022
The Facebook and Instagram apps aren't listening to you through your phone's mic, but they are injecting code into any external link you visit to track everything you do. Stop using these apps! They're unsafe. https://t.co/t6NBuofZT7
— Derek Powazek (@fraying) August 11, 2022
Apple’s security argument as to why it can’t allow third party browser engines on iOS 🤝 Apple allowing Instagram and Facebook in-app browsers on iOS to inject tracking scripts on any web sitehttps://t.co/ptmJszRKSi
— Zach Leatherman (@zachleat) August 10, 2022
My first blog post in four years (!) —
— Adrian Holovaty (@adrianholovaty) August 10, 2022
How the seemingly innocuous "in-app web browsers" on iOS/Android are a really bad thing, and a proposal for how to fix that. With a little web history thrown in.https://t.co/IqWR9pUrhc
Adrian's proposed solution mirrors mine: headers should allow pages to "punch-out" of sub-standard treatment while we breathlessly await
— Alex Russell (@slightlylate) August 10, 2022
mobile OSes enforcing reasonable, pro-privacy, pro-user, pro-web policies.
On second thought, don't hold your breath.
The the surprise if absolutely nobody Meta does shady stuff in their in app browser. I really want to know how devs within Meta justify this type of stuff. https://t.co/Bf5GlJsrWQ
— Armin Ronacher (@mitsuhiko) August 10, 2022
Native apps using webviews to let users browse external websites are just like rogue websites using frames to "steal" content in the 90s. Misappropriation, poor user experience, additional bugs, and #Security concerns, this must stop! https://t.co/ULY0XPsuv5 pic.twitter.com/xYvgUHnCR9
— François Zaninotto 🇺🇦 (@francoisz) August 11, 2022
Reminder #1000 that if you're not paying for it, and the organization doesn't have a clear alternative story about how its free thing makes it money, then you're the product https://t.co/DfDWZi29YM
— Chris Holdgraf (@choldgraf) August 10, 2022
I would add, new AppStore rule that prohibits this behavior and an insta-ban of their apps until Facebook stops stealing private information from people. https://t.co/IBcwEdHV57
— Miguel de Icaza (@migueldeicaza) August 11, 2022
Just to be clear, my screenshots are Android. Not sure what the situation is on iOS; I don't have any Apple devices, tho Felix suggests it's not so egregious on iOS https://t.co/AooUFj86cC
— Kate Bevan 🇺🇦 (@katebevan) August 10, 2022
This is a smart idea: Apple and Google should make in-app browsers respect X-Frame-Options: Deny to open a page in the user's chosen web browser. As noted, they have zero commercial incentive to do so... but lots of user experience incentive. What happens when the two conflict? https://t.co/ISeVJ9LCOa
— Stuart Langridge (@sil) August 10, 2022
This is really grim, if not entirely unexpected: apparently the Instagram mobile app injects additional JavaScript into every page that's loaded using the in-app embedded browser - here's the tool @KrauseFx built to track changes made to the DOM when loading a page https://t.co/ar0eM2VSvW pic.twitter.com/BCoH7CoXVI
— Simon Willison (@simonw) August 10, 2022
Apple has built “App-Bound Domains”, which could help avoid this kind of platform abuse, however it’s not mandatory yet.
— Felix Krause (@KrauseFx) August 10, 2022
Unfortunately, even the iOS Lockdown Mode doesn’t prevent Instagram fetching user data from third party websites. pic.twitter.com/m3j0dhA1Gi
💥 New Post: Instagram & Facebook tracks everything you do on any website in their in-app browserhttps://t.co/dj5CMJUwHc pic.twitter.com/LvWXGa34N2
— Felix Krause (@KrauseFx) August 10, 2022
On Twitter, tap your avatar, then Settings and privacy, then Accessibility, display and languages, then Display, then on the next page, toggle off Use in-app browser. You're welcome pic.twitter.com/QbV6OXEqHb
— Kate Bevan 🇺🇦 (@katebevan) August 10, 2022
Why is this a big deal?
— Felix Krause (@KrauseFx) August 10, 2022
Instagram & Facebook actively work around the new App Tracking Transparency System which was designed to prevent exactly this kind of abuse, to keep tracking users outside their ecosystem pic.twitter.com/KNO72eGh9m
Don't know why everyone is sounding so surprised at this. Of *course* Facebook tracks you via its in-app browser. So does Twitter, for that matter. https://t.co/nzY2293m5w
— Kate Bevan 🇺🇦 (@katebevan) August 10, 2022
Asking the big question "why do we let the in-app webview do that?" ("That" being break our sites, inject JavaScript, steal IP, etc.) @adrianholovaty ties the past to the present. A must-read. https://t.co/6csOuIxqZb
— Jay Brodsky (@jbrodsky) August 10, 2022
In-app browsers like those in Facebook are a big privacy risk https://t.co/ctALAAdTCA
— Matt Navarra (@MattNavarra) August 11, 2022
💥 New Post: Instagram & Facebook tracks everything you do on any website in their in-app browserhttps://t.co/dj5CMJUwHc pic.twitter.com/LvWXGa34N2
— Felix Krause (@KrauseFx) August 10, 2022
Worrying. https://t.co/QEIkTOnvAS pic.twitter.com/oK8jfSatuQ
— Andrea Stroppa (@Andst7) August 11, 2022
If you are a developer working for @facebook, @instagram or @meta, don't forget that these disgusting things are ON YOU, too:https://t.co/KAE5qmwpo2https://t.co/8Dnb1DZ9Nj
— Sebastian Felling (@LifeLongThinker) August 11, 2022
In what is not really a surprise to anyone, Facebook and Instagram are injecting additional tracking code for their in-app browsers to sidestep privacy protection. https://t.co/kcPcAlt93M
— Christopher S. Penn (@cspenn) August 11, 2022
iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser
— Graham Cluley 🇺🇦 (@gcluley) August 11, 2022
https://t.co/waBTF2DPZE
Excellent research from @KrauseFx to discover this nefarious behavior. https://t.co/5LBdhOZxy4
— Anil (@anildash) August 11, 2022
.@Meta expands automated #Ad optimization options via ‘Meta Advantage’ Program: https://t.co/WWjIF5T6dm
— DGsaga (@DG__SAGA) August 11, 2022
Via @socialmedia2day
Cc @CurieuxExplorer @TanyaSinha_#DGsaga #automation #AI #artificialintelligence #advertising #digitalmarketing #socialmedia #Facebook #MachineLearning
Meta Expands Automated Ad Optimization Options via ‘Meta Advantage’ Program https://t.co/ekusDQPZyH
— Matt Navarra (@MattNavarra) August 11, 2022
Meta Expands Automated Ad Optimization Options via ‘Meta Advantage’ Program https://t.co/gJAepzCXMR #digitalmarketing #socialmediatips
— Karin (@IAmKarinToo) August 11, 2022