In-app mobile browsers pose hidden privacy risks

The browsers built into popular apps like Facebook and Twitter provide convenience for users looking to read a page — but also open them to broad privacy and security risks, as recent reports have highlighted.

The big picture: In-app browsers allow mobile users to follow links and read web pages without having to switch out of the app they’re using. But it’s difficult to audit who ends up with the data trails this browser activity creates — and that personal information could end up in the hands of the app maker.

How it works: Both Apple (iOS) and Google (Android) say they apply the same rules to in-app browsers that they apply to any other part of an app that they distribute in their app stores: Both companies require app makers to disclose all information they collect as part of their privacy policies.

  • Google also says it looks for data collected via in-app browser as part of its automated scans of apps submitted to the Google Play store.
  • Apple’s policies also prohibit particularly egregious abuses, such as surreptitiously discovering passwords or other private data.

Driving the news: Security researcher Felix Krause published a series of findings recently — including a report on TikTok last week and an earlier look at Instagram and Facebook — suggesting that many in-app browsers contain code that gives the app owners the ability to monitor what users tap, click or type.

Between the lines: App developers have the potential to collect more user information when they make use of an in-app browser to open links — and that could lead to more hidden data collection and heightened security risks, experts tell Axios.

  • Simple modifications to in-app browsers could easily allow platforms to track when someone types, clicks on a link or taps the screen, said Nick Doty, a senior fellow focused on internet architecture at the Center for Democracy and Technology.
  • This is true of all browsers, but with in-app browsers, users typically don’t realize that they’ve shifted into a different environment that might have different data collection practices — they might just think they’re using their default mobile browser, like Safari or Chrome, Doty told Axios.

Yes, but: It’s hard to say…