You’re scrolling through Facebook or Instagram when a news article catches your eye. You click on it, and it opens right there in the app — quick, seamless, no need to switch to your browser.
Convenient, right? Maybe — maybe not. In-app browsers might make browsing easier, but they’re a big security risk — the digital equivalent of walking through a sketchy neighbourhood with your wallet hanging out. Every time you enter login credentials or payment information in these embedded browsers, you’re essentially handing your data to the app developer on a silver platter.
While this doesn’t mean every app is out to exploit your information, businesses need to be aware of the potential vulnerabilities.
What exactly are in-app browsers?
Simply put, they’re mini web browsers built directly into apps like Facebook, Instagram, TikTok, and LinkedIn. Instead of opening a link in Chrome, Safari, or Edge, the app keeps you inside its own ecosystem. This might seem like a small difference, but it gives the app more control over what you see — and what data it can collect.
The hidden dangers of in-app browsers
Unlike traditional browsers, these in-app versions give the app more control over what you see and do, which can include tracking your activity or even capturing sensitive data. So, what is happening in the shadows? Let’s take a look.
Tracking without limits
Think of in-app browsers as a one-way mirror — the companies can see everything you do, but you can’t see what they’re up to. Unlike your regular browser where you can add security tools and tweak privacy settings to your heart’s content, these in-app versions play by their own rules. They can slip in tracking code that watches every move you make online — every tap, every swipe, every click. Sure, companies say all this tracking helps make things better for you, but they’re collecting a lot more data than most people realise.
Keystroke logging and data capture
Perhaps most concerning is the ability to record everything you type. In 2022, former Google engineer and developer Felix Krause revealed that TikTok’s iOS app could record every keystroke made on websites viewed through its in-app browser. We covered that story in depth, along with advice on how to protect your business data. TikTok swears they never actually spied on anyone’s keystrokes, but just knowing they built that capability in the first place? That’s more than a little unsettling for anyone who cares about privacy.
Security vulnerabilities
In-app browsers are basically like driving a car with no airbags or seatbelts. While regular browsers warn you about sketchy websites and potential scams, these stripped-down versions leave you totally exposed. That makes it easier for cyber criminals to trick you with fake login pages, or even worse, silently intercept your data as it travels across the internet.
A compromised user experience
In-app browsers aren’t just a privacy headache — they’re also a pain to actually use. They’re clunkier and slower than regular browsers, and they don’t play nice with the tools we’ve all come to rely on.
Have you ever clicked a link on Instagram only to face yet another login screen for a website you’re already subscribed to? That’s because your trusty password manager is basically locked out of the party.
And good luck trying to find that interesting article you were reading earlier — once you close the app, it vanishes into thin air. While Chrome and Safari keep track of your digital breadcrumbs, letting you retrace your steps whenever you need to, in-app browsers are more like a maze with no map.
There’s no history, no reopening closed tabs, no picking up where you left off. It’s like starting from scratch every single time.
Lack of transparency
Finally, when you use an in-app browser you’re basically browsing in the dark. With Chrome or Safari, you’re in the driver’s seat — you can check security settings, wipe your cookies, or add privacy tools whenever you want.
But in-app browsers? They keep you in the dark about what they’re tracking, where they’re sending your data, or how long they’re keeping it.
Intersys’ Managing Director Matthew Geyman advises against their use completely. “If you want real control over your privacy, I recommend skipping the in-app browser and using your device’s native browser instead. Not only is it more secure, but it keeps social media companies from building an even more detailed profile of your online life – whether for targeted ads or something more invasive.”
Platform specific risks
iPhone: A false sense of security?
Apple prides itself on user privacy, but in-app browsers on iPhones still come with risks. While Apple mandates that all apps use Safari’s browser engine, this doesn’t mean complete protection.
Even App Tracking Transparency (ATT) — Apple’s widely publicised privacy feature — can’t fully stop apps from monitoring your activity within their built-in browsers. Released in 2021, ATT requires apps to ask for permission before tracking users across different apps and websites.
However, this doesn’t apply to tracking within an app’s own browser. Popular platforms like Facebook and Instagram can still monitor user interactions — what you click, type, or even hover over — because the tracking happens inside the app itself, bypassing ATT’s restrictions. While ATT is a step in the right direction for data privacy, it doesn’t eliminate the hidden risks of in-app browsers.
Android: In-app browser security risks run deeper
Android phones face even greater in-app browser security risks. Unlike Apple, Android lets apps create their own browser systems or use different technologies to display web pages.
This freedom comes with drawbacks — some in-app browsers might miss important security updates or use less secure systems. Android also gives apps more freedom to access different parts of your phone, which could let them track more of your data or even install unwanted software.
While you can change your browser settings on Android, most people don’t, because they’re unaware of the risks in the first place.
What the social media companies are saying
In-app browsers have been lurking around since 2008, but they flew under the radar for years. That all changed in 2019 when Google engineer Thomas Steiner blew the whistle on Facebook’s use of these browsers in their mobile apps. Suddenly, people started paying attention to what this meant for their privacy and freedom of choice.
Then in August 2022, developer Felix Krause dropped a bombshell blog post revealing how Instagram and Facebook could track everything you do on websites opened within their apps. A week later, he discovered TikTok injecting code that could record every single keystroke users made.
TikTok says they’ve never used their keylogging abilities, and Meta and Google insist their in-app browsers are totally innocent. But here’s the thing — these companies don’t have the best track record with privacy, and the fact remains that they’ve built themselves a perfect little spying toolkit, whether they’re using it or not.
“Social media companies claim their in-app browsers protect you from threats and improve your experience,” says Matthew. “While there’s a grain of truth there, they conveniently leave out how it lets them track every website you visit and everything you do online. The real question is: do you trust these companies with that kind of power?”
How businesses can protect themselves
Businesses can’t afford to ignore in-app browser security risks, but there are ways to reduce the risks. Four steps you should strongly consider to guard against in-app browser threats:
- Encouraging employees to open links in external browsers — such as Chrome, Safari, or Edge — should be the first step. Many apps offer an option to “Open in Browser,” though it’s often hidden in menus.
- Businesses should also consider Mobile Device Management (MDM) solutions, which allow IT teams to enforce security policies, blocking the use of in-app browsers on company devices.
- For organisations that handle sensitive financial or legal data, enterprise-grade secure browsers — like Microsoft Edge for Business — can provide better protection.
- Finally, regular cyber security training is crucial. Employees should be aware of how in-app browsers work, why they pose risks, and how to spot potential security threats before they become a serious problem.
The convenience of in-app browsers comes at a price that many of us aren’t aware we’re paying. While it might seem harmless to quickly check that news article or shopping site within your social media app, you’re potentially exposing your personal data to unnecessary risks. The good news is that the solution is simple: take the extra second to open links in your device’s native browser.
For businesses, the stakes are even higher. With remote work and mobile devices now integral to daily operations, every click in an in-app browser could be exposing sensitive company data. By implementing clear policies about browser usage and ensuring proper training, organisations can significantly reduce their exposure to these hidden risks.
Remember: if something seems too convenient in the digital world, it’s worth asking yourself what you might be giving up in return. When it comes to in-app browsers, that small moment of convenience could lead to significant privacy and security compromises.
Intersys is a specialist cyber security provider offering everything from full cyber security as a service to one-off rapid breach response to organisations under threat. To find out more, talk to an Intersys cyber security expert now.