In-app browsers can pose significant security risks to businesses, with their tendency to track data a primary concern. This was highlighted in recent research which examined how browsers within apps like Facebook, Instagram and TikTok can be a data privacy risk for iOS users. Researcher Felix Krause detailed how popular in-app browsers inject JavaScript code into third-party websites, granting host apps the ability to track certain interactions, including form inputs like passwords and addresses along with image/link clicks.
Meta and TikTok were quick to state that their activities are benign, but their historical behavior coupled with the potential for other apps or malicious actors to misuse/exploit this ability is worrying, particularly when in-app browsing is done on work devices that connect to corporate networks and store business information. Security teams should therefore be aware of the threats in-app browsers can pose to an organization and take steps to help address the risks.