Meta and TikTok were quick to state that their activities are benign, but their historical behavior coupled with the potential for other apps or malicious actors to misuse/exploit this ability is worrying, particularly when in-app browsing is done on work devices that connect to corporate networks and store business information. Security teams should therefore be aware of the threats in-app browsers can pose to an organization and take steps to help address the risks
What are in-app browsers?
In-app browsers are used by apps when a user clicks a link to a normal webpage from inside the app, Peter Lowe, principal security researcher at DNSFilter, tells CSO. “Instead of opening in the page in the default browser on the mobile device like Safari or Chrome, it’s opened in an embedded version that runs inside the app itself,” he adds. Because the browser isn’t running externally, this allows the app far greater control over the browser.
What security risks do in-app browsers pose?
It is this heightened control that can introduce the types of code injection and data tracking issues that Krause highlighted, Lowe say. “What was shown is that some very popular apps – including TikTok and Instagram – seem to be using this to track users, to the point where individual keystrokes are monitored and tracking code is added to every page. This circumvents app store policies put in place to prevent this sort of thing, but because of the way apps and policies are designed, it currently exists as a loophole.”
When it comes to the security risks associated with in-app browsers, one of the most crucial aspects an enterprise must consider is how it deals with sensitive data and privacy, Jens Monrad, director, head of Mandiant Intelligence EMEA, tells CSO. “We use our phones for everything, including for business. This means there are many opportunities for critical information to be compromised or leaked – intentionally or unintentionally.”
Another risk that enterprises must take into consideration is that app users almost never have the time or patience to go through the entire user rights and consent guide. Typically they can be over 30 pages long, Monrad says. “While much of the data collecting that occurs is benign, users can end up consenting to things they are unaware of, such as the tracking of their credentials or location.”
Once collected, information of this kind is golden in the hands of cybercriminals since it allows them clone to a web session with all web parameters like the browser version (agent version), locally available languages, cookies, and other user specific information, adds Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry. “That way cybercriminals may bypass anti-fraud systems ran by financial organizations to identify their recurrent customers. That’s an effect of a wolf in sheep’s clothing.”
Aside from credential harvesting, in-app browsers can also be exploited for cryptocurrency mining, Bestuzhev says. “It is especially painful when the browser is closed but is running in the background. Most modern browsers include that functionality, so cryptocurrency mining through the browser might be running even when the browser is apparently closed.”
How to mitigate in-app browser security risks
Mitigating the threats posed by in-app browsers is not always straightforward, but organizations can take steps to reduce the risks. “It’s possible to configure an app to properly launch an external browser for link clicks rather than viewing the page inside the app, and even if the app itself hasn’t been configured this way, a user can click “open in Safari” (or whichever is the browser in use) when viewing the page, to launch it in an external browser instead,” Lowe says. “We recommend configuring apps to open in an external browser where possible and informing users that this is happening so that they are more cognizant of their activities while browsing a page from inside an app.”
More risk-averse organizations may opt to prevent access to certain apps on corporate devices altogether by using mobile device management (MDM) solutions, Monrad says. “This allows companies to enforce some restrictions on the device while still ensuring the device’s integrity. Organizations can effectively create a safe container within the phone where enterprise operations can take place and access to certain applications and software updates can be more closely controlled.”
For Bestuzhev, the first thing to do is to define policies allowing or denying browsers that are approved and not approved for use. “It can be archived via black/whitelisting, default deny technologies, and AD [Active Directory] policies deployed to the endpoint, he adds. “If the network is built on Microsoft technologies, then there is a granular policy to deploy from AD to endpoints for Edge. Edge is a modern chromium-based browser, which can be configured in a way to deny in-app plugins. It is also important to count on a good endpoint protection product, so if there is a bypass attempt, your endpoint product may block it based on the analysis of the code of the in-app program.”
Newer versions of mobile operating systems of iOS and Android offer granular security controls which allow the end-user to make choices about access to clipboard function in apps, precise location data sharing, etc., says Monrad. “Additionally, users might also be prompted about apps trying to make use of cameras or audio. While it might not mitigate the risk entirely, I believe it is a step in the right direction that enterprises can also consider as part of their guidelines for employees and mobile devices.”
On that note, user education and awareness about in-app browser risks are also important, Lowe says. “Fortunately, general awareness has been raised at this point, so we can hope for some changes to the mechanisms behind in-app browsers in the future. Work is definitely being done to prevent app developers from being able to abuse this functionality and we can hope for some concrete fixes at some point.”