Meta’s Instagram and Facebook apps on iOS devices have been injecting JavaScript code into third-party websites from their custom in-app browser, gaining access to data that would be unavailable were those pages loaded in a stand-alone, WebKit-based iOS browser.
In-app browsers – implemented in native Android and iOS code using a component called a WebView – allow native app users to interact with websites without leaving their apps and opening free-standing browser applications. For this purpose, iOS offers WKWebView, part of the WebKit framework, and the more recent (and more privacy protecting) SFSafariViewController, part of the SafariServices framework.
Read more on The Register
How to protect yourself as a user?
Escape the in-app-webview
Most in-app browsers have a way to open the currently rendered website in Safari. As soon as you land on that screen, just use that option to escape it. If that button isn’t available, you will have to copy & paste the URL to open the link in the browser of your choice.
Use the web version
Most social networks, including Instagram and Facebook, offer a decent mobile-web version, offering a similar feature set. You can use https://instagram.com without issues in iOS Safari.
Link: iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser
via krausefx.com
