IAB-Inject Test Page
About
When clicking a link in big-tech mobile apps, those will generally open withinin a custom in-app-browser (IAB) so the users won't leave the app and miss them yummy retention time.
Additionally, app makers sometimes also inject JavaScript files into their IABs. In the case of Instagram they will offer you to store passwords with your Meta account when logging into third party websites while inside of their IAB.
This is possibly very dangerous since these scripts have access to any user input or website content.
This page will check, if any unexpected scripts were injected. Open this URL https://romanzipp.com/iab
in the IAB of the app you want to test. This can be achieved by storing the URL anywhere, where it's made clickable.
For example:
- Edit your profile's bio, add the test URL and click if afterwards
- Send a message with the test URL as a DM to yourself or a friend
- Make a post containing the test URL
Use in apps
- Instagram (confirmed): Edit your profile → "Links" → "Add external link"
- Threads: Edit your profile → "Link" → Paste URL
- TikTok: Go to your profile → "Edit profile" → "Links" → "Website"
- Twitter: Twitter has two different IABs, sometimes links will open in a custom basic IAB without any controls. Most of the time, you will see the iOS native Safari-like IAB.
Sample
Contact
Have you found a website that injects scripts into their IAB? Please tell me!
See landing page for contact options. https://romanzipp.com