There is this buckwild insane thing that when you visit any URL on the internet whatsoever with the in-app browser built into Instagram (and several other apps), it injects JavaScript onto the page, the point of which is extreme tracking of what you are doing.
Set my Instagram profile URL to https://t.co/h41IPjQGcN to test out what its in-app browser injects on iOS and it’s… a lot.
— Chris Coyier (@chriscoyier) September 5, 2022
This was reported heavily about a month ago and no action so far that I know of. WTF? pic.twitter.com/LbOFJiOGdR
Two things:
- Meta (and anyone else) should absolutely not be doing this. WTF?
- Apple should absolutely not allow this, through policy, action, and especially technologically.
So rather than Meta stopping it or Apple preventing them from doing it, normal people are suing Meta over it.
A Meta spokesperson has provided MacRumors with the following statement:
These allegations are without merit and we will defend ourselves vigorously. We have designed our in-app browser to respect users’ privacy choices, including how data may be used for ads
Sometimes there are gray areas. I almost always see gray areas in politics and debates of any kind. This just isn’t one of them. You can literally just look and see the JavaScript injection happening.
They can’t restrict this technologically, because if you are building your app with web views, you likely need to be able to run things and communicate within that web view. What they can and should mandate is that apps use SFSafariViewController in cases like these where the intent is to have a general-purpose browser embedded within the app.