Felix Krause published a tool to review how in-app browsers are hijacking user’s actions in the web. Tools follows report made by the same developer.
TikTok’s browser even captures every key stroke (including passwords) and reports those back to app owner.
Tool provides report on injected JavaScript code that could intercept user’s data.
Tool: InAppBrowser
References:
- In-app browsers like those in Facebook and Instagram are a big privacy risk, developer shows
- Developer creates tool that shows injected JavaScript commands through an in-app browser
- TikTok’s In-App Browser Reportedly Capable of Monitoring Anything You Type
Recommendations
Developer:
Use SFSafariViewController whenever is possible.QA engineer:
Verify that web views are protecting user data.PM/DM:
Add security related tasks to backlog when needed.