Researcher Felix Krause published a report on the risks of using certain mobile applications. The inspected applications include a very specific feature: an integrated web browser. Instagram, Facebook or TikTok include this feature “to improve the user experience” since it is “less annoying” than when clicking a link, not leaving the app instead of switching to another app and using the phone's web browser.
What has been found are JavaScript code injections on third-party websites that pose a security and privacy risk. The researcher himself has published the web application InAppBrowser.com to list all those detected commands.
This application is used by publishing the link in one of these applications and then clicking on it, aiming for the app’s browser to open instead of the phone's usual browser (Safari on iOS and Chrome on Android). On the screen will appear, immediately after, those codes that execute without us knowing.
In the specific case of TikTok, what the application detects is a series of code capable of recording all the text entries the user makes in the internal web browser. This could in some cases include banking data or credentials. For its part, TikTok claims that it does not use these features or store the information.
On the other hand, Instagram does something similar through a small JavaScript program that could also record where we tap on the screen.
Even if user actions are recorded, it cannot be verified (at least with the app designed with the researcher) what happens with the recorded data.
For regular users, it is advisable to always use the phone's own browser. Normalmente, this option is located in the upper right corner in a button called “Open in web browser” or similar. In addition, attention should be paid to where the information is entered.
Sources: Segu-Info | Felix Krause