Meta's Instagram and Facebook apps on iOS devices have been injecting JavaScript code into third-party websites from their custom in-app browser, gaining access to data that would be unavailable were those pages loaded in a stand-alone, WebKit-based iOS browser.
In-app browsers – implemented in native Android and iOS code using a component called a WebView – allow native app users to interact with websites without leaving their apps and opening free-standing browser applications. For this purpose, iOS offers WKWebView, part of the WebKit framework, and the more recent (and more privacy protecting) SFSafariViewController, part of the SafariServices framework. Meta's apps rely on WKWebView, the more capable and customizable of the two options, both of which represent alternatives to opening web links in the iOS version of Safari.
"This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap,"
www.theregister.com
