this post was submitted on 28 Mar 2024
198 points (97.6% liked)

Technology

57865 readers
5782 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
198
In-app browsers still a privacy, security, and choice issue (www.theregister.com)
submitted 5 months ago by ForgottenFlux@lemmy.world to c/technology@lemmy.world
16 comments fedilink hide all child comments
 

In-app browsers are like standalone web browsers without the interface – they rely on the native app for the interface. They can be embedded in native platform apps to load and render web content within the app, instead of outside the app in the designated default browser.

in-app browsers, without notice or consent, "ignore your choice of default browser and instead automatically and silently replace your default browser with their own in-app browser."

In August 2022, developer Felix Krause published a blog post titled "Instagram and Facebook can track anything you do on any website in their in-app browser." A week later, he expanded his analysis of in-app browsers to note how TikTok's iOS app injects JavaScript to subscribe to "every keystroke (text inputs) happening on third party websites rendered inside the TikTok app" but, according to the company, never uses that keylogging code.

"If someone is interested in some content an app has linked to and displays in an embedded browser, I'd recommend copying the link and pasting it into a dedicated browser, which has more granular privacy settings that can be toggled."

Switch to a secure browser. The process varies by app, but if you find yourself on a website while using an app, try to find three dots or a Settings button. Tap that button to open a Settings menu. One of the options may be "Open in Browser." If you don't see any Settings menu options, simply copy and paste the URL from the browser's address bar into your chosen browser.

Use the web version of a service. You can also stop using the app altogether, which may be a good idea if you want to reduce the amount of personal information you share on social media.

you are viewing a single comment's thread
view the rest of the comments
[–] 2xsaiko@discuss.tchncs.de 5 points 5 months ago (1 children)

It's crazy that the in-app browser isn't an OS-level overlay that the app can't influence or look at what the user is doing in it. It would be totally feasible to implement, at least in theory.

Exact same as with the photos chooser on iOS which should really work in a way that the app never sees your entire photo library except for the photos you end up selecting, but it still being visible in the overlay, which would also allow them to get rid of that incredibly dumb permissions system it has.

[–] aeharding@lemmy.world 5 points 5 months ago (1 children)

It's crazy that the in-app browser isn't an OS-level overlay that the app can't influence or look at what the user is doing in it.

Android and iOS both have apis for in app browsers that are secure by design. Voyager for Lemmy uses this. Mastodon uses this. Last I checked even Twitter used this. However Facebook does not.

these platforms also offer lower level APIs to build custom interface which are more powerful and flexible (but can be abused). This isn’t necessarily a problem. Custom browser apps need that functionality, and apps sometimes display their own content with web views.

The problem is that app stores allow slapping a skin on this more powerful API and treating it like an in app browser to connect to arbitrary sites. Dumb imo. If you offer an in app browser, it should be required to use the platforms secure in app browser API.

More powerful APIs should only be available to browser apps and displaying your own content in a web view.

[–] 2xsaiko@discuss.tchncs.de 1 points 5 months ago (1 children)

Oh, good to know! Can you somehow tell which is which or do they look the same?

In that case, being able to use the more powerful widget should be controlled either by what you said or even just behind a permission check the user has to acknowledge.

[–] eluvatar@programming.dev 1 points 5 months ago

No you can't. Just use a main stream browser.