InAppBrowser reveals if TikTok, Instagram and other apps with browsers inject their JavaScript

Earlier this month it was revealed that popular mobile applications with integrated browsers injected custom JavaScript into the sites they visited. Facebook, Instagram, and TikTok all use code injection techniques to track virtually everything app users do on any website open in the in-app browser.

check browser javascript injection inapp

Companies that own the offending applications benefit from them in several ways. First, because everything happens entirely behind the scenes, without most users suspecting any of it. Second, because in-app browsers don’t support content blocks or reveal privacy information when used.

Most companies use in-app browsers and code injections for tracking and monetization purposes, but some may use code to monitor all user activity, including all keystrokes.

Felix Krause created the InAppBrowser website, which is designed to reveal to the user if an in-app browser is injecting code.

Here’s how it works:

  1. Open the application you want to analyze.
  2. Use the sharing feature within the app to get the link in the app. You can send a message in DM or post publicly.
  3. Open the link that was just shared or posted.
  4. Check the displayed report.

The website reveals whether it has detected JavaScript code injections and how it evaluates these injections. For TikTok, the website reveals the following:

  • Adds CSS code, allows the app to customize the look of the website.
  • Monitor all taps that happen on websites, including taps on all buttons and links.
  • Monitor all keyboard inputs on websites.
  • Gets the title of the website.
  • Gets information about an element based on coordinates, which can be used to track which elements the user clicks.

Instagram, another popular application, also inserts JavaScript code. While it doesn’t monitor keyboard inputs, it monitors all JavaScript messages and text selections and inserts external JavaScript code.

Any JavaScript commands detected are also listed for closer inspection.

You can check out the blog post, which offers more details.

Krause notes that the site may not detect all code injections or all executed JavaScript commands. It also doesn’t detect native code, which might also be used by apps.

Protection against invasive apps within the browser

Mobile app users only have a few options. In addition to the obvious, by removing the app from the device, they may be able to redirect links to other browsers on the device. Not all apps support it though. Using DNS-based content blockers may also not be of much help, at least not against the potential reading of keystrokes or other activities unrelated to displaying ads or tracking.

Now you: Do you use apps with in-app browsers?


InAppBrowser reveals whether TikTok, Instagram, and other browser-based apps inject their JavaScript

Item name

InAppBrowser reveals whether TikTok, Instagram, and other browser-based apps inject their JavaScript


Some apps use in-app browsers to view web content; InAppBrowser reveals if the code is injected for tracking, money or other earnings.


Martin Brinkmann


Ghacks technology news



Leave a Reply

Your email address will not be published. Required fields are marked *