How to keep your data safe when opening Facebook, Instagram links
Software developer Felix Krause sounded the alarm after discovering that Meta and TikTok were injecting code into their browsers that he said could monitor anything you tap or even act as a keylogger — a tool that can capture what you type, including passwords. Meta and TikTok confirmed the code exists but said they don’t use it for snooping.
TikTok said the code is for “debugging, troubleshooting, and performance monitoring.” Meta said the code helps it honor the choices the user made in Apple’s “Please don’t track the app” prompt. Using your own browser instead of Safari brings security benefits, a meta spokeswoman said, as well as a “more seamless and convenient experience for users.”
Here’s how to be concerned — and how to bypass custom browsers.
These companies are unlikely to collect everything you type on external websites, privacy experts said, but their use of custom browsers should still raise eyebrows. First, it’s not clear why a company would need debugging or performance monitoring on a site it doesn’t own, they said. Second, once companies set up a system that could act as a keylogger, they could inadvertently leak data. And third, there is no way to ensure that the company or an outside entity will not use the system for nefarious reasons in the future.
A few other iOS social apps, including LinkedIn and Snapchat, also use custom browsers, but don’t appear to be injecting similar code, according to Krause’s analysis tool, which he has made available to the public. They confirmed that Twitter, Reddit and others use Apple’s browser, which prevents apps from monitoring people’s activities after they open external links. (Copying the link and opening it in a separate browser app would also prevent this type of snooping.) A spokeswoman for Twitter said the company has partially switched to Apple’s tool to protect user privacy.
A LinkedIn spokeswoman said her browser helps track when someone applies for a job or visits a website after interacting with content on LinkedIn, which Safari tools wouldn’t allow. “We have strict limits on how we handle this information,” she said.
A Snap spokesman said its browser offers protection against malicious URLs, which Apple doesn’t have.
Meta and TikTok’s decision to open external websites through their own browsers – without making it clear at the moment – shows a lack of transparency, Krause said.
“The problem with this is that you never selected Instagram as your browser. They chose Instagram to share photos or maybe send messages to friends,” he said.
And collecting data on what users do after opening links would be a boon to those companies’ advertising businesses, said Patrick Jackson, chief technology officer at anti-tracking firm Disconnect.
“With these companies that use data as their primary revenue stream, it’s classic to push the boundaries or do things that a user isn’t aware of,” Jackson said. “We can’t just blindly trust these companies.”
But don’t despair. Meta’s decisions are still within Apple’s confines, noted mobile development analyst Eric Seufert. And there’s a good chance Apple will eventually introduce technical limits or app review processes that address those risks, Krause said.
An Apple spokesman said developers must disclose what data their browser features collect and what that data is used for. Any app caught collecting “private” data like passwords would be removed from the App Store, he said. He didn’t directly respond to questions about Apple’s plans for custom browsers.
To avoid potential creepiness, open links in Instagram, Facebook, Snap, and LinkedIn by opening the link, then tapping the three dots in the top-right corner and selecting “Open in browser.”
To change your default browser on an iOS device, open Settings, scroll to and select the browser app you want, then tap Default Browser App and make your selection. For more private browsing, we recommend Firefox, DuckDuckGo, Brave, or Safari.
TikTok doesn’t seem to offer a way to open links in a separate browser. You can always copy and paste links into a separate browser app.