paint-brush
Expert: Facebook, IG App Can Steal Secrets, and Users Can't Turn It Off!by@z3nch4n
2,733 reads
2,733 reads

Expert: Facebook, IG App Can Steal Secrets, and Users Can't Turn It Off!

by Zen ChanAugust 24th, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Facebook and Instagram apps track users' browsing behavior on third-party websites without consent. Apple introduced App Tracking Transparency in iOS 14.5 to give users control of apps. Facebook says Apple’s simple iPhone alert is **costing Facebook $10 billion a year*** The tracking is not new for Facebook but gives us a glimpse of how much it knows about us, says Felix Krause, a former Google engineer who studies privacy, in a [blog post] on the 10th.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Expert: Facebook, IG App Can Steal Secrets, and Users Can't Turn It Off!
Zen Chan HackerNoon profile picture


Do you find the iOS Facebook app and Instagram app slow? Yes, it is because it does much more than what they display. Felix Krause, a former Google engineer who studies privacy, said in a blog post on the 10th that Facebook and Instagram apps track users' browsing behavior on third-party websites without consent.

Background

Apple actively countering cross-host tracking:

  • Starting with iOS 14.5, Apple introduced App Tracking Transparency to give users control. Apps need permission from users before their data can be tracked across apps owned by other companies.
  • Also, Safari already blocks third-party cookies by default.

After the App Tracking Transparency was introduced, Meta announced:

Apple’s simple iPhone alert is costing Facebook $10 billion a year

Facebook complained that Apple’s App Tracking Transparency favors companies like Google because App Tracking Transparency “carves out browsers from the tracking prompts Apple requires for apps.”

Websites you visit on iOS don’t trigger tracking prompts because the anti-tracking features are built in.

– Daring Fireball & MacWorld

As web browsers and iOS provide users with more privacy controls, it's clear why Instagram is interested in monitoring all web traffic from external sites.

The Findings (Thanks, Krause!)

Krause wrote that the iOS versions of the Facebook and Instagram apps inject code on every website they open and use a "custom-built in-app browser" instead of Apple's built-in Safari Browser, monitoring user behavior. As a result, the two apps track user privacy "without the consent of the user and the site provider," Krause said.


Krause said he couldn't be sure what data Instagram was tracking but stressed that the built-in browser follows everything a user does on the site, including "every screen click" and "browsing behavior.", a browser that can be used to steal sensitive information, such as home addresses. "Tracking codes allow us to collect user data for targeted advertising or evaluation," Meta, the parent company of Instagram, said in a statement to The Guardian on Tuesday.


"When shopping through the in-app browser, we seek consent to store payment data. So that the next purchase can be automatically filled in.” Krause responded that the practice still “exposed users a lot of risks” and “there is no option not to open a custom built-in browser.”

What If I Stop Using the App? The Tracking Beyond Facebook

Facebook also reaches outside Facebook itself. So what it means by “targeted advertising or evaluation“mean? Meta has partnerships with marketing firms and ad networks so that activities on other sites, including:

  • Logging into Public WiFi that requires Facebook Check-in;
  • Logging into a third-party service with your Facebook account;
  • Browsing website that contains “Facebook Pixel”;
  • and more;

can be combined with your Facebook profile.


The tracker is not new for Facebook but new to us. It at least gives us a way to glimpse how much it knows about us. It shows Facebook and sister apps Instagram and WhatsApp don’t need the microphone open to feed you specific ads and posts.

What Is the off-Facebook Activity?

Official Explanation of Off-Facebook Activity | Screenshots by the author

Off-Facebook Activity breaks the association between what you do on Facebook and off it. So, for example, if you’re shopping for shoes on a third-party retail site, you won’t suddenly see shoe ads all over your Facebook News Feed. Here is a direct link to the complete activity list.


This off-Facebook Activity is also monitored whether or not you have a Facebook account. In addition, tracking tools like the Facebook Pixel help websites and online retailers collect information about their visitors, including whether they return.


Third parties are broadly using Facebook’s advertising and tracking technologies, which means you are now just hiding from Facebook but its “friends,” too. This new tool will not allow you to reset your relationship with Facebook; Rather, it gives you a new way to disconnect some surveillance from your Facebook account with third parties.


Bonus: “People You May Know,” How Does It Work

Image from Mark Zuckerberg F8 2019 Keynote \ CC 2.0

In real life, it is easy to come up with a person you may know in the natural course of conversation. For example, when you say where you are, it is not uncommon for someone to say things like, “Oh, my roommate is also from there!”. And they would tell you more details like where they live and their full name, and you may or may not recognize them, depending on how small the town is.


Similarly, you may assume the friend recommendations on Facebook would work in the same way:

  • You fill in your personal information
  • Facebook finds out who you may know online

However, Facebook does not work like that, as the dataset from their side is far beyond the scale of everyday human interactions. Often people see a familiar face pop up in the suggestions, but you have no mutual Facebook friends with that person.

https://twitter.com/WillOremus/status/984109389823930368?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E984109389823930368%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=file%3A%2F%2F%2FUsers%2Fzchan%2FGoogle20Drive%2Fmedium-export%2Fposts%2F2021-04-08_Facebook-Is-Stalking-You-Even-You-re-Offline---And-How-to-Limit-It-e271456cbe23.html

How did Facebook figure out this kind of information? Why do they know who your high school teacher is and who your family doctor is?

What is Shadow Profile?

The first two requests that you need to allow for sign-up | Screenshots by the author

Providing your address books is one of the first steps Facebook asks people to follow when they originally sign-up so that they can continue with “Find Friends.” (You can choose the second option, “Sign up without uploading my contacts. “) Down in the little font, below the “Get Started” button, the page states that:


“Info about your contacts in your address book, including names, phone numbers, and nicknames, will be continuously uploaded to Facebook so we can suggest friends and provide and improve ads for you and others,”

Screenshots by the author

Behind the Facebook profile you built for yourself, a shadow profile is made from the contents of other Facebook users' inboxes and smartphones. The contact information you’ve never given Facebook is linked with your account, helping Facebook completely map your social connections on a massive scale.


Shadow contact information has been a known feature of Facebook since 2013! But most users are unaware of its extent and power. Since Shadow Profile happens inside Facebook’s algorithms, people can’t see how deep the data-mining of their lives is until a mysterious recommendation pops up.

How To Protect Yourself From Zuckerberg?

1# Web Browsers

Go to the web version of IG and FB:

Whenever you open FB or IG posts, use a web browser that stops trackers, like Mozilla’s Firefox and Brave. Also, as mentioned, Safari is already blocking third-party cookies since iOS 14.5. Therefore, the next time someone sends you a link to FB or IG, open them using “Open in Browser“mode.

If you want to open FB and IG like an app, you can do that by using a web clip in Safari.

If you prefer Brave, you can also do that by web app shortcut.

2# Ad-Blocker and DNS

I would suggest going the extra mile in the browser area. One addition is the ad-blocking extension. An addon called “uBlock Origin,” is available on Firefox and Chrome. uBlock Origin may require some initial configuration.


Some other good and easy-to-use ad or tracking-blocking extension choices for your browsers would be Ghostery or EFF’s, Privacy Badger. Brave has its built-in ad-blocking features called “Shield.” Firefox and Mozilla’s Facebook Containeaddonon prevent Facebook’s software from connecting with other sites.


In mobile apps, where tracking is common and unavoidable, the quest is harder to stop as mobile web browsers are less functional and users cannot add extensions. However, a few services, such as 1.1.1.1, Disconnect’s Privacy Pro and Next DNS, scan app activity, and block tracker traffics, may also reduce bandwidth usage.

3# Ultimate Fix — Farewell

I am saying Goodbye to Facebook and Instagram forever and closing your accounts. But, of course, you can stop Facebook from stalking you from now on. So far, though, that’s not a choice most people have been willing to make. And it is doubtful but un-verifiable that your data is still sitting inside its data center, like what Pierre disclosed.

Final Words — Nothing is Free, Especially When It Comes to Meta

Even though you know that the free is not accessible on Facebook, you might not realize the extent and the depth of Facebook tracking all over the internet. So anyone worried about the power of Facebook to manipulate people and shape elections should consider how it tracks us.


Facebook knows full well that users are upset about its data collection policies and is trying to push out means that grant more control. Sadly, these don’t do much about data collection but are more about how data is used for ad personalization. Still, until recently, they just started to test E2E encrypted chats for the Messenger app and WhatsApp, with an estimated 2023 launch globally.


The tracking stretches across other websites and services, into various apps you’re playing on your phone, and to the locations where you physically visit in the real world — particularly if you decide to or the WiFi requires you to check in on Facebook while you’re there.


If you want to take advantage of its features, you must give up some of your personal information. But Facebook has ways of keeping tabs on people who aren’t even signed up for the service. In comparison, Facebook is striving to downplay the leak's gravity, judging how serious this does not lie with the company alone.


Thank you for reading. May InfoSec be with you🖖.


Reference:

  1. https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser#how-to-protect-yourself-as-a-user
  2. https://www.holovaty.com/writing/framebust-native-apps/