Facebook, Instagram inject ‘tracking code’ in in-app browser to monitor usage: Report

When users open a link on the Facebook and Instagram apps, they are taken to the respective page not via a browser of their choice, one installed on their phone, but via the Facebook or Instagram browser inside the app. While this may seem appropriate, recent reports suggest that parent company Meta may have other motives behind an in-app browser implementation of links.
According to a report by researcher Felix Krause, via EngadgetIt has been found that the default in-app browser on Facebook and Instagram injects a “tracking code” into every website it visits for you, allowing a number of items to be monitored, likely without the user’s explicit knowledge. These include the ads you click, the buttons you press, text selection, and more.
The researcher’s work mainly focused on the Facebook and Instagram apps for iOS. However, Krause points out that Facebook may not necessarily use a JavaScript injection to collect sensitive data, but regardless, the approach here looks suspicious, mainly because it allows meta to monitor usage across both unencrypted and encrypted sites; The latter is something other browsers do not allow.
In a subsequent tweet, Krause admits that Facebook reached out to the researcher saying that the system they created honors user choice ATT.
Krause further added that the WhatsApp communication app, also owned by Meta, does not modify third-party websites in a similar way, and suggested that Facebook and Instagram also follow similar methods.