Meta sued for allegedly secretly tracking iPhone users

Meta was sued on Wednesday for alleged undisclosed tracking and data collection in its Facebook and Instagram apps on Apple iPhones.

The lawsuit [PDF], filed in a US federal district court in San Francisco, claims that the two applications incorporate use their own browser known as a WKWebView that injects JavaScript code to gather data that would otherwise be unavailable if the apps opened links in the default standalone browser designated by iPhone users.

The claim is based on the findings of security researcher Felix Krause, who last month published an analysis of how WKWebView browsers embedded within native applications can be abused to track people and violate privacy expectations.

“When users click on a link within the Facebook app, Meta automatically directs them to the in-app browser it is monitoring instead of the smartphone’s default browser, without telling users that this is happening or they are being tracked,” the complaint says.

“The user information Meta intercepts, monitors and records includes personally identifiable information, private health details, text entries, and other sensitive confidential facts.”


However, Meta’s use of in-app browsers in its mobile apps predates Apple’s ATT initiative. Apple introduced WKWebView at its 2014 Worldwide Developer Conference as a replacement for its older UIWebView (UIKit) and WebView (AppKit) frameworks. That was in iOS 8. With the arrival of iOS 9, as described at WWDC 2015, there was another option, SFSafariViewController. Presently this is what’s recommended for displaying a website within an app.

And the company’s use of in-app browsers has elicited concern before.

“On top of limited features, WebViews can also be used for effectively conducting intended man-in-the-middle attacks, since the IAB [in-app browser] developer can arbitrarily inject JavaScript code and also intercept network traffic,” wrote Thomas Steiner, a Google developer relations engineer, in a blog post three years ago.

In his post, Steiner emphasizes that he didn’t see anything unusual like a “phoning home” function.

Krause has taken a similar line, noting only the potential for abuse. In a follow-up post, he identified additional data gathering code.

He wrote, “Instagram iOS subscribes to every tap on any button, link, image or other component on external websites rendered inside the Instagram app” and also “subscribes to every time the user selects a UI element (like a text field) on third party websites rendered inside the Instagram app.”

However, “subscribes” simply means that analytics data is accessible within the app, without offering any conclusion about what, if anything, is done with the data. Krause also points out that since 2020, Apple has offered a framework called WKContentWorld that isolates the web environment from scripts. Developers using an in-app browser can implement WKContentWorld in order to make scripts undetectable from the outside, he said.

Whatever Meta is doing internally with its in-app browser, and even given the company’s insistence its injected script validates ATT settings, the plaintiffs suing the company argue there was no disclosure of the process.

“Meta fails to disclose the consequences of browsing, navigating, and communicating with third-party websites from within Facebook’s in-app browser – namely, that doing so overrides their default browser’s privacy settings, which users rely on to block and prevent tracking,” the complaint says. “Similarly, Meta conceals the fact that it injects JavaScript that alters external third-party websites so that it can intercept, track, and record data that it otherwise could not access.”


Source: Meta sued for allegedly secretly tracking iPhone users • The Register

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft