Felix Krause, an iOS privacy researcher, has found that Facebook and Instagram render all third-party links within their app using a custom in-app browser and that this custom browser can track all sorts of user interactions.
This is in violation of Apple's App Tracking Transparency policy, which requires apps to explicitly ask users for their permission to track them.
According to Krause, the tracking code can monitor all kinds of user interactions: "This allows Instagram to monitor everything happening on external websites, without the consent from the user, nor the website provider.
The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.''
That said, Krause is quick to point out that doesn't necessarily mean that Facebook and Instagram are stealing people's passwords and credit card numbers.
Rather, his report was meant to highlight the tracking capability of the in-app browser's tracking code and how users can protect themselves.
"Does Facebook actually steal my passwords, address and credit card numbers? No! I didn't prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing.
"As shown in the past, if it's possible for a company to get access to data for free, without asking the user for permission, they will track it," wrote Krause.
So how can users protect themselves? Whenever you click on a link within Facebook or Instagram, make sure you click on the three dots icon in the corner (bottom right for Facebook, top right for Instagram) and select the option "Open in browser" to visit the link in Safari and not Facebook or Instagram's custom in-app browser.
Interestingly, only Facebook and Instagram open links using their custom in-app browser. WhatsApp, another service owned by Meta, opens apps with Safari.