Facebook and Instagram use a custom in-app browser to track users, according to analysis

While Apple continues to make moves when it comes to general user privacy and security, especially with iOS, there are still some areas where third-party companies can take advantage of the tools Apple has in place. For instance, a built-in web browser in apps like Facebook or Instagram, for instance, is still based on Apple’s WebKit. But it sounds like Meta has still found a way to track users that use that third-party web browser instead of Safari.

Facebook logo on a dark background

That’s according to a new analysis put together by Felix Krause. A wide range of apps still rely on Safari for web browsing, but there are others that use a third-party option instead. Like Facebook and Instagram. These social networks, owned by Meta, use their own web browser for accessing the web, rather than Apple’s own default web browser.

And it’s with these third-party browsers, again, still based on Apple’s WebKit, that they can inject a tracking code based on JavaScript to track users that access this web browser. The tracker is actually codenamed “Meta Pixel,” which is placed within every website and link. Based on Krause’s findings, this means Facebook and Instagram can track any user, despite what their personal desires might be regarding digital tracking.

From the report:

The external JavaScript file the Instagram app injects (connect.facebook.net/en_US/pcm.js) is the Meta Pixel, as well as some code to build a bridge to communicate with the host app. This is not just a pixel/image, but actual JavaScript code that gets executed:

The Meta Pixel is a snippet of JavaScript code that allows you to track visitor activity on your website. It works by loading a small library of functions which you can use whenever a site visitor takes an action that you want to track […]

The Meta Pixel can collect the following data:

  • […]
  • Button Click Data – Includes any buttons clicked by site visitors, the labels of those buttons and any pages visited as a result of the button clicks.
  • Form Field Names – Includes website field names like email, address, quantity, etc., for when you purchase a product or service. We don’t capture field values unless you include them as part of Advanced Matching or optional values.

What’s interesting is that Facebook and Instagram are not trying to hide Meta Pixel at all. Indeed, on Facebook’s developer portal it indicates “Meta Pixel” is designed to “track visitor activity on your website,” with every interaction tracked while the user is within the custom-built web browser.

Krause breaks things down for the “non-tech readers” as such:

  • Can Instagram/Facebook read everything I do online? No! Instagram is only able to read and watch your online activities when you open a link or ad from within their apps.
  • Does Facebook actually steal my passwords, address and credit card numbers? No! I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it’s possible for a company to get access to data for free, without asking the user for permission, they will track it.
  • How can I protect myself? For full details scroll down to the end of the article. Summary: Whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dots in the corner to open the page in Safari instead.
  • Is Instagram doing this on purpose? I can’t say how the decisions were made internally. All I can say is that building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that’s already been built into the iPhone for the past 7 years.

It’s that last bullet point that stands out. As Krause points out, it takes a “non-trivial” amount of time to develop, maintain, and so on a custom in-app browser. So Meta, which oversees Facebook and Instagram, did make this a conscious decision to go down this particular route. Which also includes involving the Meta Pixel tracker in the first place.

At face value, it does appear that Meta was trying to get around Apple’s App Tracking Transparency (ATT) feature, which requires consent for an iPhone user to be tracked across websites and apps owned by other companies. This Meta Pixel within the company’s own third-party browser makes it possible for Meta to track users no matter what they’ve decided on in the past.

We’ll have to see where this leads.