TWEETSTORM is an occasional feature on decentralize.today where we share threads , mostly from Twitter, that we think deserve a wider audience, some are informative, some educational, some amusing and others yet are controversial...we dig these out for you so you don't have to!

Today's is short but shocking!

Felix Krause@KrauseFx

Announcing InAppBrowser - see what JavaScript commands get injected through an in-app browser

TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps.

https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

Image

Felix Krause@KrauseFx

https://InAppBrowser.com - a new tool I used to investigate the in-app browsers of apps (that use them) to look for any external JavaScript code being injected.

Image

Felix Krause@KrauseFx

When opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input (which may include credit card details, passwords or other sensitive information) TikTok also has code to observe all taps, like clicking on any buttons or links.

Image

Felix Krause@KrauseFx

Continuing to analyse the Instagram iOS app, I found something new: Besides injecting pcm.js (as covered last week), Instagram also injects JavaScript code to observe all taps happening inside their in-app browser, like clicking on buttons, links or images.

Image

Felix Krause@KrauseFx

As of iOS 14.3, apps can easily hide their JavaScript activities from websites using WKContentWorld. Hence, it becomes more important than ever to find a solution to end the use of custom in-app browsers for showing third party content.

Image

Felix Krause@KrauseFx

Apps that use the recommended SFSafariViewController approach, don’t have any of those problems. Even with the WKContentWorld system, there is no way the iOS app can inject JS code into external websites, making it the safest choice for the user.

Image

Felix Krause@KrauseFx

FAQ for non-tech readers

Image

Felix Krause@KrauseFx

Wow, what an honour to have my work featured on @forbes Including statements by TikTok confirming the code I found exists and does what I expected.

https://forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browser-research/ via @richardjnieva

Felix Krause (@KrauseFx)
https://InAppBrowser.com - a new tool I used to investigate the in-app browsers of apps (that use them) to look for any external JavaScript code being injected.

This is some truly scary people...GET OUT AND GET OUT NOW!!!

💡
We publish daily doses of decentralization news every day and update on Mastodon, Twitter, Telegram and Element (Matrix). Please like & share our output. We rely on you for content, so why not write for us. We welcome sponsorship and donations to help us continue our work - all major cryptos accepted or buy us a coffee. Contact us at blog@decentralize.today - many thanks for all donations received, much appreciated.
Share this post