The internal browser of Instagram and TikTok can spy on what we do on any website. there is little solution

Felix Krause, a researcher, has discovered that applications such as Instagram, Facebook or TikTok can potentially track anything we do on a web page that we are viewing in the browsers integrated into their mobile applications. Although Google and Apple are doing a lot to limit the tracking that an application or website can do with us in terms of the use of cookies or identifiers, the reality is that technically there are parts that are beyond their control.

And these applications take advantage of something that mobile operating systems manage: integrated browsers . Unlike apps like WhatsApp, Twitch, Spotify or Slack, which open Chrome or Safari by default, system browsers, TikTok or Instagram use their own browser. And it is with them that they can choose not to alter the websites that we visit through them, or to modify their operation and/or appearance with JavaScript injection. Let’s see what it means.

Know every step you take on a website (and potentially collect it)

On the left we can see everything that the code that Instagram injects can do. In the middle, we can see how to avoid this tracking: by choosing to open with the browser, in this case Safari. On the right, we see how the web opened in Safari does not detect code injection, as it should.

If you’re worried about what each built-in browser can do when you visit a website, Krause has created , an open source website with which we can explore whether apps inject JavaScript code, and what they’re capable of detecting on our screen. It is the web that we have used for the captures.

According to Krause, when we open a link that they send us by direct message on Instagram, for example, or when we click on an advertisement that interests us, their browser executes the aforementioned JavaScript injection.

At first, Krause said that the code didn’t do things like track clicked links, etc., but then he mentions that after improving JavaScript detection, he has found that it is capable of detecting every click on a link, image, and other components, as well as the selection of a text field, etc .

The researcher also reminds “The fact that an application injects JavaScript into external websites does not mean that the application is doing something malicious “. The problem is that we cannot know. What we can know is that through Safari, Chrome or the extensions that can be used for these browsers to have an integrated browser appearance, these problems do not exist.

According to Meta told Krause, they recognize that they are executing code . However, they argue that the JavaScript code they are injecting (pcm.js) is used to respect user decisions regarding App Tracking Transparency, the policy that Apple has since iOS 14.5 to prevent applications from tracking us.


This is all that Instagram can know about a website with the code it injects. Which does not mean that they actually collect it.

In the case of TikTok, Krause has detected that the social network can, through its integrated browser, see every text input that occurs on a web page opened with it . He can also see every button, link or image that is touched on the screen, and has a function to detect details about the elements that have been touched.

As in the case of Instagram, we cannot know if TikTok really obtains the potential information that it could obtain with said tools , and if in the case of doing so, they apply treatment to them. What we know is that they have the possibility to do so by not using the default browser and introducing modifications. According to Forbes , the company acknowledges that the functions exist and that they inject code, while stating that they do not use them. According to spokeswoman Maureen Shanahan:

“Like other platforms, we use an embedded browser within the app to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting, and performance monitoring of that experience, such as checking how fast a page loads. page or if it fails”.

According to Motherboard , a TikTok spokesperson has told them the following:

According to Motherboard , a TikTok spokesperson has told them the following:

“The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says that the JavaScript code doesn’t mean our app is doing anything malicious, and admits that he has no way of knowing what kind of data our in-app browser collects.” Contrary to what the report states, we do not collect keystrokes or text input through this code, which is used solely for debugging, troubleshooting, and performance monitoring.”

What can we users do?

Opening Instagram links in Safari or another browser is the solution to avoid potential app tracking.

Given the possibility that what we do is registered, who really cares about their privacy (or at least wants to protect it as much as possible), what you can do is open the links outside internal browsers .

That is, when there is an “Open in Safari” or “Open in Chrome” button, the ideal is to use that button , above all I saw the content that we are going to see is more sensitive for us than the account. If there is no such possibility, the ideal is to copy the link, and open it manually outside. Some applications let us choose which browser to open the links from their application, but they are few.


The problem is that, for example, TikTok does not even allow the “Open in Safari” option , so users have a little less freedom of action.