The Facebook and Instagram apps are modifying websites you visit
You might want to rethink having social network apps on your phone, but not because you’re addicted to scrolling or concerned about misinformation. According to new research, the Facebook and Instagram apps can track you when you click to visit non-Facebook and non-Instagram sites.
The scenario is easy. Imagine that you are scrolling through your feed and you see a news article or another site that you want to visit. You click to visit. Instead of opening in your default web browser (Safari on iPhone or Chrome on Android), a Facebook or Instagram browser pops up.
The settings in this browser are controlled by the app. The first problem is that these in-app browsers ignore the security settings and ad blockers you might have installed on your phone.
Worse, though, the research found that the Facebook and Instagram apps are actively modifying the websites you visit. This is apparently done to allow them to track you on websites that are not controlled by Facebook or Instagram.
While users typically expect an app to track their moves within the app itself, when you navigate to a third party website, you would expect the tracking to stop.
Facebook and Instagram both claim that they respect your iOS privacy settings, following Apple’s rules. So if you said you did not want to be tracked in iOS, their in-app browsers also won’t track you.
That’s great for those users. Android users—who don’t have the option to not be tracked in their apps—and iOS users who actively allowed tracking, both still deserve to not be tracked by Facebook or Instagram when on another site.
How can I protect myself from Facebook and Instagram data collection?
The easiest way to protect yourself is to completely uninstall the Facebook, Messenger, and Instagram apps. The services can still be accessed in a reasonable enough manner on your phone — or through computer web browsers. It might not be a perfect or even good experience, however, because companies focus most of their attention on the apps.
But by using the website instead of the app, you are ensuring that your phone’s browser is in charge of privacy settings when you click a link outside of the social network. Because the app is not involved, Facebook and Instagram cannot modify the websites in any way.
If you’re unwilling to uninstall Facebook, Messenger, and Instagram apps, the easiest thing you can do to prevent off-app tracking is to force the app to open the page on your phone’s default browser. This can be done by clicking the link, then finding the three dots at the bottom of the screen. When you click those dots, you get an option to “Open in Browser.” You’re then browsing on your phone’s browser, a much safer option.
Decide carefully which apps to trust
Keep in mind, there’s always a chance that any app could be used in an unintended way by the app author. A company could make an intentionally bad app to temporarily or permanently enable a feature to steal your personal data, while appearing to be functioning normally to you. It happens all the time.
The curated app gardens of Apple’s App Store or Google Play might make you think that these big companies are policing all apps in their stores. But that’s just not possible. There are too many apps to review manually, and scammers are getting better at evading automated protections.
The general rule is to not install apps from sources and authors you don’t trust. You should take some time to go through apps on your phone. Do you need them? Do you know who actually wrote them?
When you’re considering what apps to keep, you also might want to remove TikTok, which the United States government has declared a national security threat. Headquartered in China, TikTok collects user data just like Facebook and Instagram. While there’s no evidence that the Chinese government has access to the data, there are no known safeguards that would absolutely the Chinese government from accessing data about you collected from TikTok.
Whether you delete these apps or now, the best advice is simple: uninstall apps you don’t need or don’t trust.
Update 8/19/2022: Follow up post: The TikTok app has been found by the same researcher to be reading all of the keystrokes when you visit a third party site through the TikTok app.
Jerry Galvin has over 16 years of experience in engineering and cybersecurity operations. He currently specializes in vulnerability management.
