Meta iOS Apps Accused of Injecting Code into Third-Party Websites


Thread author
Staff Member
Malware Hunter
Jul 27, 2015
Meta's Instagram and Facebook apps on iOS devices have been injecting JavaScript code into third-party websites from their custom in-app browser, gaining access to data that would be unavailable were those pages loaded in a stand-alone, WebKit-based iOS browser.

In-app browsers – implemented in native Android and iOS code using a component called a WebView – allow native app users to interact with websites without leaving their apps and opening free-standing browser applications. For this purpose, iOS offers WKWebView, part of the WebKit framework, and the more recent (and more privacy protecting) SFSafariViewController, part of the SafariServices framework. Meta's apps rely on WKWebView, the more capable and customizable of the two options, both of which represent alternatives to opening web links in the iOS version of Safari.

"This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap,"

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.