InAppBrowser tool reveals hidden JavaScript injections

A tool made by developer Felix Krause reveals hidden JavaScript injections via in-app browsers.

In-app browsers provide developers with a convenient way to let users browse specific websites without leaving their apps. However, they can be used to violate user privacy.

A JavaScript injection can be used through an in-app browser to collect data about users, including their taps on a web page, keyboard input, and more.

Armed with this data, a “digital fingerprint” can be created of a specific individual that can be used for targeted advertising.

Krause has created a tool called InAppBrowser that can generate a report on the JavaScript commands a developer executes through an in-app browser.

To use the tool, you just need to open the app you want to analyze and use the in-app browser to open the URL””.

Krause has already tested some popular apps with his tool, including TikTok and Instagram.

TikTok was found to monitor all keyboard inputs and screen taps when using the in-app browser. Instagram, meanwhile, was able to detect all text selections on websites.

In a disclaimer about the limitations of his tool, Krause wrote:

This tool works by overriding most common JavaScript functions, but the host app can still inject other commands.

From iOS 14.3, Apple introduced a new way to run JavaScript code in an ‘isolated world’, making it impossible for a website to verify what code is running.

This tool also cannot detect other app tracking that may occur, such as custom gesture recognition, screenshot detection, or web request event tracking.”

Not all apps that inject JavaScript code do so for malicious purposes, but InAppBrowser can help discover those who do so for no good reason and discourage others.

Want to learn more about cybersecurity and the cloud from industry leaders? Checking out Cybersecurity and Cloud Expo takes place in Amsterdam, California and London. The event takes place in collaboration with the Blockchain Expo.

Discover other upcoming business technology events and webinars powered by TechForge here.

Tags: data, felix krause, inappbrowser, infosec, JavaScript, privacy, security

Get in Touch

Related Articles

Get in Touch


Latest Posts