See what JavaScript commands get injected through an in-app browser (opens in new tab)

Yeah - I never want an in-app browser. I wish it could be broadly disabled at least as an option, though I'd be fine with apple just removing the capability entirely.

It's particularly annoying with account cookies and such when I'm already authenticated in the normal browser.

Unfortunately I think they’re very popular with unsophisticated users. I’ve heard stories about companies getting a ton of support emails because someone clicked on an article link shown in $someApp, the user was booted to Safari, and didn’t know how to get back to where they were before.

I’ve heard of developers adding the in-app thing despite hating it personally just to reduce the support burden.

What really annoys me is that Facebook messenger used to offer an option for how to handle external links, but removed it in favor of one of these in-app browsers.

It’s quite clearly a user hostile decision, but they presumably did it for all that activity tracking they can do.

It seems like there should be a setting to make this the default. Sometimes I'll navigate a bit within the in-app browser after clicking on a link from like Twitter or something, and I'd much rather it pop open Firefox or something that I can actually trust. Now it sounds like Apple and Google should start putting warnings on these things by default, yeesh.

I'd like to add that I haven't been able to find a way to escape the TikTok in-app browser on Android. There are no buttons, not even a URL bar to copy from.

I highly doubt this will happen. There are a ton of apps that use things like Cordova or Capacitor (usually for cross-platform purposes).

What I could see them doing is making apps declare URLs that they need access to. Basically, you get full functionality on declared URLs, but if you are just using WebView for a "generic" in-app browser you lose the ability to inspect random pages.

Wouldn't a simple solution be to require apps that aren't browser to list a limited set of domains they're allowed to access? Then you could use the WkWebKit view for your app but you couldn't use it to allow the user to browse the web.

Browsers would get a pass where Apple would come up with some rule but clearly the Instagram app, the Facebook app, the TikTok app, the Gmail app, the Google app, are not browser where as Firefox, Chrome, Brave are.

IMHO the proper action would be to put the script injection and data access capability behind a user consent prompt.

"TIKTOK WOULD LIKE TO READ THE AND MODIFY THE CONTENTS OF THIS WEBSITE - ACCEPT/DENY"

For legitimate reasons, the app can inform the user about why they need to do this and the user can accept that and even better, they can implement legitimate APIs.

I’m not sure they can.

While SFSafari is a much better choice for what the apps are doing here, WKWeb has legitimate uses.

I suppose Apple could lock it behind an entitlement, but that would take a while as WKWeb is already very prevalent and people won’t replace it on short notice like a point release. Even iOS 17 seems fast.

Plus there is the general power issue. Apple could have done many things over the years to FB (and IG) but they’ve been treating them with kid gloves because those apps are so important. You can definitely add TikTok to that list.

In an app I'm using postMessage and JS injection to communicate between our in-house HTML/CSS content (due to what we're building, we had and still have many legitimate reasons to code that way) to seamlessly integrate the native side and the dynamic HTML views.

Any change would be a huge nightmare for apps like ours, potentially impacting many other apps as well.

Apple started moving in this direction in 2020 with the introduction of App-Bound Domains[0]. These are currently opt in but I have always expected that, just like with the HTTPs adoption, they'll start enforcing this more strictly. With App Bound domains an app specifies ahead of time which domains are app bound and should allow injecting Javascript etc.

I expect app-bound domains to become required for all apps in iOS 16 or possibly iOS 17. There will probably a be a limit and some review on which domains an app specify as app-bound. Web browser that use WKWebView already have a special entitlement that excludes them from this.

0: https://webkit.org/blog/10882/app-bound-domains/

Locking down in-app browsers seems like a reasonable trade-off. Kind of surprised it wasn't the case before, since browser extensions have had site permissions for ages now.

One could just follow what browsers do for extensions: have the developer specify a list of all the hostnames that they want to enable script injection on in a manifest, and ask for permissions at the start. Anything not on the list must be loaded via a sandboxed browser.

Keeps legitimate uses functional while preventing broad script injection.

> They're going to heavily lockdown WKWebView after the Instagram and Tiktok revelations, probably in iOS16.1

are you just making a prediction, or do you have knowledge of this?

+1 thanks for the info - it makes sense that Apple would try to mitigate this on their platform.

I use Apple’s new Lockdown Mode on the beta iOS 16 and iPadOS 16. I generally like it. It largely disables arbitrary JavaScript, as far as I know. A few times a week, I will turn off Lockdown temporarily for a few minutes for a web site if there are any problems. This is usually Amazon.com’s Kindle preview feature.

I hope they leave means of communication available. Something like window.postMessage. Like how Chrome extensions can expose a limited part of the Chrome API to webpages so they can post messages to certain extensions, without needing to inject anything into those webpages.

I hope it gets locked down further just like how Apple introduced App Tracking Transparency, to further reduce and make it harder for data collection like this so that it is not open to abuse, not just this but in all of iOS in general.

Whether if it is collecting biometric data, voice prints, reading the clipboard, collecting information around local network devices and now abusing the in-app browser to further collect user data, the same social networks will try anything to abuse the iOS system to collect as much data as they can.

Given that Facebook did the exact same invasive actions and was fined in the billions, there is enough evidence of these invasive data collection practices that TikTok has done over the years to be worthy of a multi-billion dollar fine.

There is no exceptions, excuses or any room for double standards.

They do a lot more than that.

> TikTok iOS subscribes to every tap on any button, link, image or other component on websites rendered inside the TikTok app.

> TikTok iOS uses a JavaScript function to get details about the element the user clicked on, like an image (document.elementFromPoint)

And that's just a sample of the calls the author was able to find.

Apple exposes two ways to use an in app browser. One is a legacy method that gives you full control, the other gives the user a sandboxed browser with no interference from the app.

TikTok isn't the only app abusing this. Instagram and Facebook will both do sneaky things like respond to the content of the page you're browsing (asking to save passwords in their own private keychain, showing context specific information, etc.)

-

You're not exposed to any of these if you don't open a link inside the in-app browser.

The most common reason to click a link in their in-app browser is an ad... so obviously TikTok, Instagram and Facebook are using the in-app browser to track your interactions after the ad click and sell the data

>> Does just not entering any keyboard input in the in app browser mitigate this?

yes but i doubt the hundreds of millions of users, many of which are children, know this

It might make it much harder to inject stuff, but since the apps control all aspects of the embedded browser and CSPs are enforced by the browser, they could feasibly just disable CSP enforcement and have the embedded browser ignore the CSP.

Not at the moment. This article from last week when the issue got exposed is arguing for adding it https://news.ycombinator.com/item?id=32418679 * Let websites framebust out of native apps *

CSP protects against an XSS threat model, but once the attacker has control of the browser itself, defeating CSP is trivial since you can just decorate scripts with the nonce string (or equivalent).

The article actually mentions those:

> [...] they use JavaScript to offer some of their functionality, like a password manager.

Basically a 3rd-party browser needs to use JS to offer any features or real benefit over simply using Safari. But as a TikTok user you have no benefit when all links open inside the app with tons of custom JS injected that seems to be mainly for tracking you.

Thought Apple was the bastion of consumer privacy. Apparently removing TikTok though is not commercially beneficial for them

not to mention the elephant in the room: Apple Finds Its Next Big Business: Showing Ads on Your iPhone https://www.bloomberg.com/news/newsletters/2022-08-14/apple-...

Google isn't blocking this because it would be a silver bullet to FTC for aiding Youtube. Apple isn't blocking this because they are beholden to China.

No, the browser is the "user agent" and decides what to do. The problem is that in this case TikTok is the browser and does what they want, not what is good for the user.

It is actually quite a hard problem. The App Store does ban third-party browser engines so maybe they can add a restriction that apps can only inject code into verified domains. Surely a few legitimate use cases would be lost (IDK apps that let you annotate websites or something) but it may largely mitigate this issue. Maybe there can be a permission or a review entitlement that allows this for valid use cases (as decided by Apple of course).

Or better, not inject anything when detecting inappbrowser.com

What surprises me is that this is technically possible on iOS.

People only care when "bad guys" do it

That's because only "bad guys" do this. If a "good buy" does this, they automatically become a "bad guy".

It's just another piece in how Apple sabotaged the web.

To be fair, Facebook and Instagram were caught first, and the news got to the front page last week.

Yes and that’s literally the first link in the first sentence in the first paragraph of the article lol

TikTok is no different and is beyond worse than Meta at this point. Whatever Meta is doing doesn't excuse the reasons for this tracking.

Given that Facebook was fined in the billions for this abuse in the past, TikTok should also be fined for this with in the billions of dollars.

We have learned nothing around this and have repeated the same problems in social networks a decade later.

You're linking to the same site as the OP. This is the follow up blog.

Hm, how does that help the user?

It’s on the browser to enforce CSP headers. In this case the browser itself is doing the malicious script injection. Think of it as a browser extension, just running without your consent. It’s up to the browser - not the website - to reject it.

Marx wouldn’t approve of some sort of great leap 2.0. CCP sucks, but since World Wars, have you seen the list of countries the US alone has invaded or led coups in? Add in the rest of the west.

It doesn’t matter much what some state’s publicly stated stuff is. There’s no reason to believe any country blindly. Their actions speak louder.

No not all of them do this. Yes, Instagram does, as per the chart in the article. The difference is Tiktok forces you to use their in app web view, and does not allow you to use your default browser, where they would not be able to inject their own JS code. Even worse, Tiktok monitors every single key stroke, a key logger in effect, where Instagram does not (according to the authors research).

If you open the article, it compares it to a few apps. TikTok blocks you from opening it in your default browser. The others don't

No, AFAIK not on android. As it uses the default browser, just in webview mode.

Instagram is a spyware company owned by a spyware company

Instagram and Facebook do the same thing.

People are going to reply to you with the usual "we are better than them", "we are a democracy" etc., but reciprocity clauses are very common in areas like international trade, travel, disarmament treaties, emissions control and lots more. In fact China would never have been allowed into the WTO (which happened in 2001) had they not made sweeping changes to their economy and assured the world that they would compete on a fair playing field, rules that they still (mostly) have to follow today. Requiring that American software companies have the same opportunities in China as Chinese ones enjoy in the USA is a perfectly sane position to take. In fact it is the fair and democratic one.

Of course politicians don't really understand tech enough to realize how quickly (and how unfairly) China is growing to dominate the space.

> Same with housing, why can Chinese nationals buy housing here, while I can't do so there?

Housing is a completely different conversation, and the answer there is that existing homeowners would never allow the influx of foreign cash into their local markets to stop, and they are the ones with all the influence in this country, not the renters or aspiring buyers.

Honestly, this type of discussion is seriously irritating, because it implies that TikTok is doing something unique that other apps aren't doing. Just as the article demonstrates, many western countries do the exact same thing that TikTok does, except TikTok seemingly takes it one step further (probably because of shoddy programming). Applying geographic-based arguments to technology is just a bandaid. The problem needs to be solved in all situations, not just in situations where people aren't politically happy.

Any company injecting keyloggers or monitoring systems into web content should be subject to the same equally damning judgement. Just because it's China doesn't make keylogging bad. Keylogging is bad because keylogging is bad. Companies like Fullstory [0] and Hotjar [1] are used all over the western internet and effectively act as full session recorders. Sure, used well they can be used for analytics, but you could just as easily inject Fullstory or Hotjar into an in-app browser and suddenly record all data a user does. Should this be possible? No. Does it help to just ban China? I mean sure, but why should you be okay with a western company doing it?

TikTok is a short video app used mostly by younger generations. It produces highly accurate recommendations for videos to watch. We're not talking about something like a banking app, a healthcare app, or even a messaging app. It's a video-based social network. There are bigger fish to fry than TikTok in almost every single possible category of app. Yet, TikTok is always brought up because it's from China.

[0]: https://www.fullstory.com/

[1]: https://www.hotjar.com/

Money.

And I don't just mean the politicians. I mean downright to the pension funds, hedge funds, and retail investor.

They are all long China and especially Chinese tech. If you start declaring war on Chinese tech you are going to obliterate a huge amount of money all to protect the privacy that US voters don't care about privacy in the least. So why would they do such a silly thing?

National security? Please, the son of a sitting President is a crack user with huge ties to China. Nothing some Tiktor user could divulge through the in app browser could ever compare.

> how we can allow a Chinese social media app in the west, while any non-chinese social media apps aren't allowed there?

Because we are the West, and China is China. We have different laws and customs.

So, I see this bandied about a lot, but I don't see the big deal in being spied on by a government that has 0 say in my entire hemisphere? Like, I have much bigger concerns about spying done on behalf of the five eyes alliance than China (obviously this would be the opposite if I was living in China). What are they going to do with my silly viewing habits, sell my data to advertisers? Well, same deal with youtube, google, fb, insta, whatsapp, etc. I'm not saying you are coming at this from a nationalistic point of view but I get that vibe from the ease of which tiktok is disdained on HN.

And on the merits, it is unhealthy like all social media, but it still feels so much more fun and worthwhile than facebook or insta where everything feels like a competition to have the best life. So much of Tiktok still feels like vine 2.0

Besides what's been said already, did you consider that "the west" is a collection of countries from at least 3 continents, wgile China is a single country?

Also the fact that the entire world relies on China is a pretty good place to start.

So, what would be the difference between us and them? There is a reason why our governance is better than them.

Also, if you don't know facebook, instagram also have same issue as tiktok. Maybe government should enforce privacy requirement for all apps including facebook and instagram instead of blanket banning Chinese apps.

Because China is ruled by technocrats who are probably book-smarter than Western politicians.

In the west you typically have to be rich to be a politician, in China you have to be smart, then you get rich(and ban the NYT when your corruption is uncovered).

Does it bother the west's rich and/or powerful? If not, it doesn't matter in the West apparently.

China and the West are both controlled by factors not really in line with helping the stereotypical Common Person.

We’re not a dictatorship?

I would zoom out a bit.

For example, when the media in The West "front pages" the smog in Beijing keep in mind The West owns a good part of that. It's not like what's manufactured in China stays in China. I would presume their water ways are nasty as well.

Just one example mind you. The point is, there are other imbalances. That's not to say TikTok should get a free pass, only that it's complicated than an app for app comparison.

Amusingly, TikTok isn't available in China - only DouYin, which is similar but separate.

I'm not 100% sure on this at this point, but I think if Facebook/Google/etc were willing to do the same they would be allowed in China too, but as it stands they can't/won't comply with Chinese law (I may be mistaken on this, haven't read up on the topic in quite some time)

Who cares? This is about privacy and security. Not a “why can’t we do it in your country back to you” argument

Sounds like the opposite of housing from a national security POV. If a Chinese national buys a house in the US, then the US has 'control' over their property. The US would want Chinese nationals to buy houses in the US.

There is an interesting meta discussion here but the parent is over-simplifying things.

> How we can allow a Chinese social media app in the west, while any non-Chinese social media apps aren't allowed there?

Easy. The laws are different.

"Non-Chinese social media app"s are not banned in China, just that if you run one it need to be licensed (https://beian.miit.gov.cn/) first before you can start servicing. Licensing is difficult since there's requirements about keeping data domestic, having physical presence should legal enforcement be necessary (i.e. there are people to arrest if something goes wrong), and complying with takedown requests (both copyright and political). Western big tech companies (rightfully) do not want to comply, so they do not get licenses, and thus have no presence. Attempting to "just provide service" without a license will result in blacklisting via the GFW as enforcement.

"Allow a Chinese social media app in the west" -- this is also more complex. If TikTok or friends violate laws in the west they are also liable for any punishment. For example, TikTok and WeChat comply with the GDPR in Europe and keep EU data local to the EU. If they didn't they'd be looking at a potentially huge fine and possibly getting banned. Similarly they also comply with copyright stuff like DMCAs. If they didn't, the FBI can seize their domain and compel ISPs to not resolve it just like the GFW (this has precedent and has been done before).

So the meta question becomes: Are the current protections in the west sufficient? To which the answer is probably no.

But in any case, in the free world, whether a Chinese social media app's presence is allowed to be maintained should not be dictated by ideology, but rather through real demonstrated evidence of misbehavior and/or harm (which is why research like this is important).

What I don't understand is why Google has let YouTube become one big advertisement for TikTok. Every video I watch on YouTube is preceded by a TikTok ad.

> why can [XXX] nationals buy housing here, while I can't do so there?

Simply because when XXX nationals come with all cash offers and willing to pay above market & waive all contingencies, sellers are willing to sell.

It just so happens that certain nationals are more prone to having that sort of money than others.

All of this. And, to be clear, much of that home purchasing is for investment purposes (vs simply Chinese nationals with residences here).

And, don't forget farmland.

Seems we'll look back on all of this at some point and decide maybe it wasn't the best idea.

Because of unfortunate politics - young people are thriving on TikTok so all discussions on limiting the platform under Trump were reasonably responded to with outcries about censorship. I think it's possible some change could happen under the current administration's watch (since it wouldn't be viewed as a free-speech crackdown) but there doesn't seem to be much interest now that it's just about security and not also about punishing your political opponents.

Because west operate under different systems. West has for while being about free trade free market global capitalism. Where as China is using much more controlled approach.

Fundamentally west can't get too faraway from these ideals or it will end up destroying its hegemony. Huawei has already been banned, but what comes after social media? And if some action is taken, will other countries start banning western imports specially cultural and services?

The corporations that control our government depend on China’s cheap labor. It’s as simple as that.

I can’t understand how we allowed every industry to wholesale migrate to China and write off every manufacturing method and trade secret.

The answer both of our questions is of course money. Our version of capitalism is dominated by cult-like disciples of financial management principles.

If the US fucks with TikTok, well maybe they’ll mess with Office 365.

If non-Chinese companies are willing to abide by Chinese laws (including those about censorship, etc.), they'll be able to operate in China. Chinese social media apps abide by US regulations around social media and private surveillance, which are almost nonexistent, so they can operate in the US.

The only way to prevent this is to create laws specifically targeting the Chinese for being Chinese, because 1) the chance for domestic regulation on social media and surveillance is very low, and 2) any regulation we're likely to pass would be about "spreading misinformation" and "foreign interference," so would probably end up closely resembling Chinese regulations.

Well, it's gonna cost me many downvotes, but this needs to be said. CCP has a tight grip on many US officials. The two publicly known cases are Pelosi's son and Biden's son, who are prominent investors, board members even, in chinese companies. That's public knowledge, but I bet it's the tip of the iceberg.

Trump tried to ban TikTok (and quite a lot more), but he’s orange and bad, so Biden repealed it. And tariffs are racist, so there’s that. America is not functioning well at this point and nothing indicates it will improve.

What happened to free speech being the bastion of America and the only thing that can counter misinformation and propaganda?

Suddenly doesn't seem to work so well when a Chinese app is granted that privilege.

Because only US can buy cheap goods and services from the world with printed paper called dollars.

It's amazing. Tiktok has been HN's darling for the longest.

Because the opposite would be considered racism and xenophobia.

Because it’s a sovereign country that makes its own rules? So, basically the same reason that you can’t just move to Italy because you feel like it.

Everything is legal until it is explicitly made illegal. And I can assure you no US politician can understand more than 3 words in that paragraph you wrote, let alone make laws to regulate it.

For what it's worth, Google doesn't allow you to log into your Google Account in a in-app browser for this exact reason... unless you enable some "Insecure App" settings in Google Admin settings.

If you use the platform, you've expressly agreed to this behavior. You can't create an account without affirming that you read and agreed to their policies and terms of use.

Instagram's privacy policy: https://privacycenter.instagram.com/policy/

>We call all of the things you can do on our Products "activity." We collect your activity across our Products and information you provide, such as: [...] Apps and features you use, and what actions you take in them.

Tiktok's USA privacy policy: https://www.tiktok.com/legal/privacy-policy-us

>We collect information when you create an account or use the Platform. We also collect information you share with us from third-party social network providers, and technical and behavioral information about your use of the Platform. [...]

>We may collect information about you from third-party services, such as advertising partners, data providers, and analytics providers.

Aren't EULAs fun?

Hey don't even worry about it, just look at this hilarious picture of a kitten instead

Can they really though?

I mean, this is literally XSS. And it's not just Facebook and Tiktok, unless this is a private API scummy apps can and are (I guarantee) doing this to steal user passwords and bank credentials. Your average person already needs to know that they can't type in their credentials unless the URL says facebook.com, now they also need to check the app is Safari. And you may not even need to enter credentials, a malicious app could just load my-bank.com and extract the cookies or local storage or send API requests.

If true...wow. That's a massive security oversight. But it seems to massive I'm not 100% convinced. Especially because websites are tightly sandboxed from other websites and apps are tightly sandboxed from other apps. Yeah you could in theory re-implement your own web browser in your app which looks and acts like Safari, but in practice Apple technically forbids other web-views, and it's really hard to fully implement a web browser and not make it immediately apparent anyways.

We'll find out soon enough, but no existing law covers it so clearly that it can be decided with certainty without a judge's imprint.

You're surprised?

Those were never trustworthy.

These same tools are what allow you to build and ship fully JS based apps on iOS instead of having to use Swift or Objective-C or anything like that. Arbitrary web views can be an entire app. Or they can reinvent the wheel and become in-app browsers. A lot of apps are fully or partially web based. Even Apple’s own apps use web views in crazy ways. For example, the entire Mac App Store used to be a web view. Parts of macOS system preferences are web views. It’s just that because they’re web views, if you slap browser-like chrome on them and send them to the internet, they also work as web browsers.

It's the in-app browser. The one that opens within the app, so that people don't need to switch to another app, and usually used for short-lived sessions. It doesn't modify or spy on the actual separate browser (Safari etc), just on whatever happens inside the app (as you would expect, app knows what's going on within itself), and it just so happens that sometimes in the app there is a browser page being displayed, which then goes to reason can also be spied on.

Android has these in-app browsers too, they may or may not be subject to this.

I assure you Android is capable of the exact same thing.

A lot of apps use webviews to render HTML, often in ways where you wouldn't even notice it's web content. Apps shouldn't use webviews to render external web sites but nothing in the APIs restrict them from doing so (recent versions of iOS have made it seem like they're heading in that direction but nothing concrete).

Easiest thing would be for Apple and Google to enforce this via denying app approvals. Would be a very interesting fight against apps this popular, though.

Android is in basically the same situation.

Obviously both Android & iOS let you open things in the default browser.

iOS has SFSafariViewController, which more-or-less corresponds to Chrome Custom Tabs on Android. These basically make a browser UI that is in the of the app for the purposes of multitasking/app-switching, but which is controlled by the browser. Devs can't inject code into these.

And both have WebViews, which let the dev do more-or-less whatever they want inside their own app.

That's a problem of social media a such. Remember the Tide Pod challenge?

I walked into a shop. They place a bug on me, so they can listen to my conversations in the store, and the store next door if I leave and pop in there. Both conversations about products, and conversations about I am having with my therapist about personal problems. Everything is recorded.

They use it to make their algorithm better, and they'll use it to better target ads. Both of these things are good for me the shopper, so I'm fine with it. If they sell that data to other companies, have their employees LOL at my problems, or secretly pass it on to the police or spy agencies, that is totally cool. Nothing to hide here!

And for those who don't like it, don't shop at this particular store.

I like TikTok, I think that algorithm is toxic and that "better" currently means "more toxic". My simple ask is that I wish we could control it a little better. It sends you down a tree, but I wish we could zoom out, visualize the tree and just pick a different branch to go down.

This was expected and the intention for this invasive spyware is obvious, otherwise, how else is their dystopian recommendation algorithm supposed to work if you don't give access to your entire life records.

The difference is that this was done before by Meta / Facebook and they were fined in the millions, and even by billions by regulators like the FTC over this. This same problems a decade ago are being repeated once again and we have learned nothing.

TikTok should be under the same regulations, especially when they are operating in many countries that have strict data privacy laws and given this unsurprising and extremely invasive data collection practice which is even worse than Facebook, they should be fined in the billions of dollars as a reminder that it applies to any social network, especially those with billions of users.

If left alone, it will only get worse for everyone.

That's great if it's something you want. What happened to getting consent? All of these "features" should be opt-in.