Sign in / up

back to article In-app browsers are still a privacy, security, and choice problem

Competition cops in Europe and the United Kingdom have started paying attention to in-app browsers, a controversial mechanism for presenting web content within native apps. Open Web Advocacy (OWA), a group that supports open web standards and fair competition, said in a post on Tuesday that representatives "recently met with …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Paratrooping Parrot
    Mushroom

    I find it very infuriating that I cannot copy the website address from Instagram and that my adblocks are unavailable on the web browser used by insta. Also whenever there is a link in Facebook in a web browser, there is always some garbled website address that goes through FB's servers and therefore I cannot get a clean website address.

    This also needs to be addressed.

    19 0 Reply
    1. alain williams Silver badge
      Reply Icon

      some garbled website address that goes through FB's servers

      Something similar happens on youtube - it shows a clean URL but copy the link and it starts https://www.youtube.com/redirect?event=xxx. This is not obvious and lets youtube collect personal information -- both of which are against the GPDR; not that our chocolate teapot ICO will bother to do anything about it.

      15 0 Reply
  2. ThatOne Silver badge
    Facepalm

    Pope catholic?

    Any in-app browser is as (un)trustworthy as the app itself, plus the caveat that it's usually a quick-and-dirty piece of borrowed code thrown in to make the app a "whole experience", prevent the suck user from leaving, and of course, last but not least, to gather some juicy "telemetry" and ad revenue.

    What's not to like?...

    17 1 Reply
    1. iron
      Reply Icon

      Re: Pope catholic?

      > it's usually a quick-and-dirty piece of borrowed code thrown in to make the app a "whole experience"

      No it isn't. It is always an OS provided web view of some form. If that code is borrowed or shoddy your complaint is with Apple or Google.

      1 4 Reply
      1. Jamie Jones Silver badge
        Reply Icon

        Re: Pope catholic?

        On android, you could say "often", but not "always"

        There's nothing stopping you embedding whatever webview code you want. In fact. Mozilla makes "Geckoview" ( https://wiki.mozilla.org/Mobile/GeckoView ) for that very purpose.

        (I'm not calling geckoview "quick and dirty" - just citing it as an example of a third party "webview")

        5 0 Reply
      2. heyrick Silver badge
        Reply Icon

        Re: Pope catholic?

        "No it isn't. It is always an OS provided web view of some form."

        Did you not read the article? Here, let me help:

        Some companies implement a bundled engine in-app browser, which is where the developer uses their own browser engine in lieu of a native platform WebView API. Meta does this with its Facebook app for Android, but not for iOS due to Apple's platform rules.

        7 0 Reply
  3. Test Man

    For me the absolute reason why I hate these in-app browsers is because they do not contribute to my History list, so I don't know whether I visited particular sites, nor do they allow me to utilise my existing autofill texts.

    I really hate Facebook, Instagram and Threads' in-app browsers, and being forced to use them. There is only one reason they are utilising it - in order to more easily see what people are clicking on.

    14 0 Reply
    1. Hubert Cumberdale Silver badge
      Reply Icon

      Hmm. General agreement here, but the potential upvote I might've given was cancelled out by the two uses of "utilis[e/ing]" when "us[e/ing]" would have been fine. This is a niggle I have to correct in papers every day, so I'm perhaps disproportionately irritated by it.

      7 9 Reply
      1. I am David Jones Silver badge
        Reply Icon
        Thumb Down

        “Correcting” implies an error, which is manifestly not the case as utilise is a real word with a real meaning. Trying to impose your own linguistic style/preferences on an internet forum is a dick move, if I may be so bold.

        Downvote from me.

        10 7 Reply
        1. Hubert Cumberdale Silver badge
          Reply Icon

          Indeed, "utilise" is a real word with a real meaning, and this is why its distinct meaning, which is not the same as that of "use", should be preserved rather than eroded. This is not simply about a preference: it is an error.

          4 2 Reply
          1. I am David Jones Silver badge
            Reply Icon

            According to my dictionary, one meaning of “utilise” is “use”. So I stand by my comment that this is pedantry gone wrong.

            If you have a dictionary that says otherwise, then we can have a dictionary-off. But I’m not catwalking and my pants are staying on. Just so you know.

            3 5 Reply
          2. Terry 6 Silver badge
            Reply Icon

            "Use" and "utilise" are both valid words, with subtly different implied meanings. They are often interchangeable though.

            "Use" simply means to do with the item what it is intended for- though that can be widened to any form of "make use of" as in using the handle of a screwdriver to bash a nail into something.

            "Utilise" means something more like to take advantage of a facility offered by the availability of the object.

            So I could reasonably say that I used the screwdriver on my Swiss Army knife to get a screw out of the wall but that I utilised the flat screwdriver blade on my Swiss Army knife to prise open a paint pot

            In terms of writing style I'd say use "use" where possible and utilise "utilise" only for contexts where it seems more appropriate.

            As this site

            https://english.stackexchange.com/questions/143941/when-to-use-use-and-when-to-use-utilize-in-a-sentence

            puts it

            Some dictionaries gloss utilize as using something for a purpose that it is not normally employed for. But prescriptive grammarians are pretty clear on such use. Fowler in Modern English Usage (p670) says:

            If differentiation were possible between utilize and use it would be that utilize has the special meaning of make good use of, especially of something that was not intended for the purpose but will serve. But this distinction has disappeared beyond recall; utilize is now ordinarily treated as a LONG VARIANT of use. A form is enclosed herewith for favour of your utilization is an example of the pretentious diction that prefers the long word.

            1 0 Reply
        2. No Relation
          Reply Icon

          Nope, utilise isn't the same as use, and it annoys me too. I'd say it's a dick move to be so certain about something as to correct someone yourself without even checking if you're right.

          9 1 Reply

      2. This post has been deleted by its author

    2. Jamie Jones Silver badge
      Reply Icon

      As "in app browsing" was designed as a way to help developers render their app, it should be restricted to same-domain only (based on a single, hard-coded domain of the apps choice)

      Visiting third party sites is no longer part of the app, it's browsing, and should be handed to the browser of users choice.

      8 0 Reply
      1. heyrick Silver badge
        Reply Icon

        This. Web views inside apps shouldn't deal with third party sites.

        6 0 Reply
  4. Robert Carnegie Silver badge

    I dunno. If I write an app that needs to display HTML, I feel that I don't want users to install DeadCat as their web browser, cause my app to not work with it, and then complain to my support forum when it doesn't work. Of course, I don't have to go near the support forum, so, problem solved - but I still don't like it. Or what if the user installs a malware fork of DeadCat instead, and hacks my app?

    3 5 Reply
    1. Jamie Jones Silver badge
      Reply Icon

      As I wrote above, I think in-app-browsing restricted to one domain of your choice would be the way to go.

      You can then use it to render YOUR html in your app, but once you provide a user with an offsite link, that goes from app-rendering-html to browsing, and should then spawn the external browser.

      6 0 Reply
    2. heyrick Silver badge
      Reply Icon

      "complain to my support forum when it doesn't work ... "Or what if the user installs a malware fork of DeadCat instead, and hacks my app?"

      I can't help but think that all of this is potentially a thing because the boundary between app and web is extremely blurred.

      You should be able to hand a URL to a web view (whatever it may be) and that web view render the content on the screen and go back to you with a success or fail result code. Maybe, in specific circumstances, it can provide you with limited data (such as the content of a file it fetched, like JSON or whatever). Much more than that, and it's a security risk for your app and your users.

      Furthermore it can help to segregate permissions, your app may require access to a user's photos, say, but the browser part doesn't.

      "I feel that I don't want users to install"

      I feel that I don't want your app to ignore my choices for blocking/whitelist, my language preferences, whether or not to fetch large media files, my saved passwords, and so on. You are, instead, expecting me to trust god knows what, that will happily download and run god knows what.

      9 0 Reply
      1. Robert Carnegie Silver badge
        Reply Icon

        If you don't trust me and my programming work, you shouldn't execute it at all - unless you think I'm a hacker and you want to analyze how I do it.

        I should have expressed more clearly that while I respect my customer's choice to use the DeadCat web browser for World Wide Web activities of their choice, I want that not to be enforced on my app programming. I'm not absolutely opposed to DeadCat optionally displaying my app's output if the user wants to try that, but I will be developing and testing with the Big Brother Browser that is bundled with the operating system, and if DeadCat doesn't handle my app output correctly, then the solution I offer is not to use DeadCat, at least not with my app. So I'll be looking to have my code have an "Only use Big Brother" option. Of course I'll reconsider this if ignoring DeadCat is commercially unwise.

        As for languages, I speak one, and it isn't emoji, but I will have my app's manual professionally translated into that for a universal audience. :-)

        0 2 Reply
      2. katrinab Silver badge
        Reply Icon

        If you need to fetch json or whatever, you can make that same domain on the server-side by using a reverse proxy. I do that anyway as a matter course rather than deal with CORS stuff.

        2 0 Reply
  5. DS999 Silver badge

    If I visit a link in the Facebook app

    I always use the "open in Safari" option. Not so much to prevent Facebook collecting data on that session (all I'm doing is reading the article, and they've already collected the "he opened this link" data) but because Safari's adblocker doesn't function inside Facebook's in-app browser.

    Sometimes I am not quick enough to do the "open in Safari" thing before some shady ad has caused another page to load. Just from what I can see of the pages it is loading before I interrupt the process it is amazing anyone tolerates it they are so ad laden. I don't get every ad blocked, a few still slip through, but the pages are fast and functional which they sure wouldn't be in Facebook.

    What I really hate are apps that force a web page view to do basic functions. If the app is that crappy, why even bother saying you have an "app". Because you don't, you have a web site. They are NOT the same thing!

    4 0 Reply
  6. adfh
    Thumb Down

    Facebook has started doing this with their beta android app again!

    Facebook has started doing this with their beta android app again! ... no matter if I toggle off or on the "load links externally" option buried under media settings, it'll always launch the internal browser first.

    It's a right royal pain in the arse.

    2 0 Reply
  7. Shalghar Bronze badge

    In App browsers are not only on android or apple

    Yes, i know, windows programs are not necessarily called "apps" but how is any game provider who wants to force his players to use a wannabe steam like atrocity like, for example "Arc", so different ? Especially "Arc" with its chromium implement is so shoddy that sometimes the pages in the browser part crash or sometimes a false URL has been introduced. All this thing does, browser wise, is display something thats already on the homepage of the company, but with a nice graphical border, non working history and/or addons and due to the reduced screensize within the border a lot more pain to use as it does not scale down since the browser part gets the natural screen size but not a re scale to the small window it actually displays.

    Edenred, some kind of master card based bonus money voucher thing also has a crippled in app browser but needs to be re authenticated via the full homepage as the app is so misdesigned that you cant even make your mandatory password change whenever they want and/or the app crashes again and scrambles whatever its using to authenticate. At least they dont insist on chrome anymore and currently, the app is at least a bit more convenient than directly using the homepage, which is a new development.

    Several android apps also share the ill design to prefer a crippled in app browser over a redirect to a proper homepage in a full browser of the users choice. This is not only an issue with the amazon app but also with several others, especially when it comes to support issues and you would really like to have your auto incorrect of choice as well as a maximum of screen size with the scaling of your choice.

    1 1 Reply
  8. Keythong
    Holmes

    This is why LAN-level domain-filter appliances, like Pihole, are necessary!

    I have mine setup on an old Raspberry 3, with Unbound as the local DNS provider (used to be dnscrypt-proxy) to minimise DNS tracking via DNS servers; all LAN devices are directed to use it as a DNS server, via DHCP, via DNS server configuration, from my gateway router. As a result, I need no OS domain filters and far less (resource-costly) filtering in browsers, and it blocks domains which I can't configure to be blocked by in-app browsers, which can include chat apps like Slack and Skype. Pihole can also log which device is requesting which addresses, which can be useful to detect rogue apps/devices.

    You are can do domain filtering on Android too, but the VPN approaches are often compromised and filter apps probably can't be chained like I did with Pihole and unbound.

    0 0 Reply
  9. Keythong
    Devil

    This maybe from reluctance to implement a non-Web UI/UX, and graft.

    But, of-course, that then leads to the temptation to import other stuff off the internet, like say font awesome, and various JavaScript frameworks, content services, then adverts, and metrics. Of course, the later may be the real reason why an in-app browser component was used! HTTP/Javascript based apps are bloat we need a lot less of, because they can be a lot slower and use a lot more memory than non-Web UI/UX apps, including the bloated NodeJS and Atom, e.g. React was serious bloat, both to compile and run, for a big app!

    Cloud-linked LAN appliances can use unfiltered browsers too, and people are security/privacy idiots to use such junk, including because they will probably not be as secure as a non-embedded OS device, because of less oversight/patching.

    0 0 Reply
  10. adfh
    Thumb Down

    Meta isn't obeying their own options on this anymore on my Facebook app!

    I've been into my facebook app settings, and the "Open links in external browser" option is now being actively ignored by Facebook. Maybe they're seeing I have Firefox as default, but I shouldn't see why that should be a problem.

    I've tried downgrading from their beta version, reinstalling app from scratch, and still no joy.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like