InAppBrowser tool reveals hidden JavaScript injections

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


A tool created by developer Felix Krause reveals hidden JavaScript injections through in-app browsers.

In-app browsers offer a convenient way for developers to let users browse specific websites without leaving their apps. However, they can be used to invade users’ privacy.

A JavaScript injection can be used via an in-app browser to collect data about users including their taps on a webpage, keyboard inputs, and more.

Armed with this data, a “digital fingerprint” can be created of a specific individual which can be used for targeted advertising.

Krause created a tool called InAppBrowser that can generate a report about the JavaScript commands that a developer is running through an in-app browser.

To use the tool, you only have to open the app you wish to analyse and use the in-app browser to open the URL “https://InAppBrowser.com”.

Krause has already tested some popular apps using his tool, including TikTok and Instagram.

TikTok was found to monitor all keyboard inputs and screen taps when using its in-app browser. Instagram, meanwhile, was able to detect all text selections on websites.

In a disclaimer about his tool’s limitations, Krause wrote:

“This tool works by overriding the most common JavaScript functions, however the host app may still inject other commands.

As of iOS 14.3, Apple introduced a new way of running JavaScript code in an ‘Isolated World’, making it impossible for a website to verify what code is being executed.

Also, this tool cannot detect other app tracking that may occur, such as custom gesture recognition, screenshot detection, or tracking of web request events.”

Not all apps that inject JavaScript code are doing so for malicious purposes, but InAppBrowser may help to uncover those that are doing so without good reason and dissuade others.

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The event is co-located with the Blockchain Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *