A former Google engineer and privacy researcher, Felix Krause said that Meta could track anything its users do on iOS, by taking advantage of a loophole in Apple security.
He said that the iOS versions of Facebook and Instagram, take users who click on links in the apps to an "in-app browser" and not the user's browser of choice like Safari or Firefox.
This allows Meta to inject code into their apps, so when a user clicks on a link and is taken to the in-app browser, the company can then monitor their activity around the web.
"Links to external websites are rendered inside the Instagram app, instead of using the built-in Safari," said Krause in a blog post.
"This allows Instagram to monitor everything happening on external websites, without the consent from the user, nor the website provider," he added.
"Injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," said Krause.In a statement shared with The Guardian, Meta said that they had "intentionally developed this code" to account for user choice on the platform. The company said that it completely respects the users consent to tracking choices on its platforms.
“The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels," said a spokesperson for Meta, in a statement.
Regarding tracking a users purchasing habits, Meta added that, “For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”