Facebook and Instagram In-App Browser Tracking: Privacy Risks and How to Protect Yourself in 2026
Security researcher Felix Krause reveals that Facebook and Instagram use embedded browsers in their apps to track user activity on third-party sites, posing privacy risks. This article examines how these browsers work, the information they collect, and how Apple’s ATT helps to protect iOS users' data.
Ozan Ucar, Founder and CEO of Keepnet
Last Updated: 2026-06-01
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Facebook and Instagram applications use embedded browsers that automatically open when you click on external links within the app, rather than opening your default browser. This behavior allows Meta to inject JavaScript code into visited websites, enabling tracking of user interactions including form inputs, button clicks, and purchases made on external sites. The practice was first documented in detail by security researcher Felix Krause in August 2022. By 2026, this tracking approach has attracted regulatory scrutiny under the EU Digital Markets Act (DMA), GDPR enforcement actions, and US state privacy laws. Meta was fined over 1.2 billion euros by Ireland's Data Protection Commission in 2023 in a related data transfer case, and regulators continue to examine the in-app browser's data collection practices.
Why Embedded Browsers are Used
Typically, when you click on a link within an app, it opens in a default web browser. However, Facebook and Instagram create a built in browsing experience by embedding an internal browser to display these sites. While this approach offers a seamless in app experience, it also allows the apps to run custom JavaScript code on any third party websites you visit through these browsers. This technique lets the host app observe user interactions such as clicks, scrolls, and even sensitive input like credit card information.
What Information Facebook and Instagram Can Track
When using the in app browser, Facebook and Instagram gain the ability to monitor a wide range of user interactions, including:
- Passwords entered on login pages,
- Home addresses or other sensitive details filled out in forms,
- Credit card information during online purchases,
- On screen selections or menus clicked, and
- Text inputs in any form fields.
This capability allows Facebook and Instagram to collect extensive user data, tracking your digital footprint across different websites without requiring your explicit consent.
The Role of JavaScript in Data Collection
Facebook and Instagram achieve this data collection by injecting JavaScript code into the web pages loaded through their embedded browsers. This script can track user interactions on these external sites. Any data entered on a page viewed in the in app browser can potentially be captured and sent back to Facebook or Instagram, allowing them to collect data about your browsing habits and behavior.
For example, if you click on an ad within Instagram and complete a purchase on the advertiser’s website, Facebook may collect information about that transaction directly through the embedded browser.
Apple’s Response: App Tracking Transparency (ATT)
To protect user privacy, Apple released the App Tracking Transparency (ATT) framework in iOS 14.5, requiring apps to request user permission before tracking activity across other companies' apps and websites. Meta reported a significant impact on its advertising revenue following ATT's rollout, estimating a $10 billion annual revenue reduction. However, ATT does not prevent in-app browser JavaScript injection, which operates within the app's own context. In 2025, Apple introduced additional privacy protections in iOS 18 that further restrict cross-app tracking, but the in-app browser data collection mechanism remains a separate privacy concern that ATT alone does not address.
How ATT Works to Block Data Collection
ATT requires that apps:
- Request permission from users before tracking them across third party websites.
- Offer transparency about the types of data they wish to collect and for what purpose.
If a user declines tracking, iOS restricts the app’s ability to gather data about their activity on other sites, providing users with more control over their privacy.
Despite ATT, however, Facebook and Instagram can still track user interactions within their embedded browsers, as this monitoring occurs directly in the app rather than across external applications. Therefore, while ATT mitigates some privacy concerns, embedded browsers remain a loophole for in app data collection.
How to Protect Yourself from In App Browser Tracking
Given the potential privacy risks, here are some steps to safeguard your data when using apps like Facebook and Instagram:
- Avoid clicking on external links within the app if possible.
- Copy links and open them in a separate browser like Safari or Chrome.
- Use iOS settings to manage permissions, opting out of app tracking requests when prompted.
- Stay informed about how apps collect and use data by regularly reviewing app privacy policies
While ATT has provided a layer of protection against cross-app tracking, users must still take active steps to protect their data when using in-app browsers. In 2026, privacy-conscious users should open external links in dedicated privacy-focused browsers, disable Meta's in-app browser where app settings allow, limit the personal information entered in pages accessed through social media apps, and review Meta's privacy settings to restrict data collection. Organizations should include in-app browser privacy risks in employee mobile security training, particularly for staff who access sensitive business information from mobile devices.
Editor's Note: This article was updated on June 1, 2026.
SHARE ON