If you have ever used a mobile application in your life, you must know the concept of in-app browser. Basically, this is a feature present in some applications, which allows you to open a web page without having to leave the application. It is present in applications like Instagram, Facebook or Snapchat.

But the thing you don’t know is that by going through these in-app browsers on iOS, you are potentially being spied on. For example, when you go through the browser integrated into TikTok, the latter records everything you type on the keyboard (including passwords) and everywhere you tap with your finger on the screen.

So that doesn’t mean that the companies in question steal passwords, it just means that they can.

So how can we know if an application is injecting javascript into the pages you visit via their in-app browser?

Well, Felix Krause has developed a service called InAppBrowser which allows you to list the javascript commands executed by the iOS application itself. To use it, enter this link in the application (eg in messaging).


Then click on it to open it in in app browser. You will then see the javascript injections.

Here is a demo:

So what to do? Well, as a user, the best thing is to avoid using an inapp browser if possible and always go through the iPhone browser, Safari.

Here are some apps that modify the pages you visit and collect metadata.

Moreover, some applications use Safari as the default browser.

This is the case of Twitter, Reddit, Whatsapp, Youtube, Outlook, Twitch…etc. It is a healthy implementation since Apple prevents the injection of JS by a third-party application in the code of websites. So you can trust these apps:

If the subject interests you, I invite you to visit this page which will answer all your questions about this hidden practice of application publishers.

About the Author

SAKHRI Mohamed

The blog of a computer enthusiast who shares news, tutorials, tips, online tools and software for Windows, macOS, Linux, Web designer and Video games.

View All Articles