On recent versions of iOS, in-app browsers do not share data with the Safari browser. How effective would browser fingerprinting be? Everyone with the same device, same language/locale and same timezone should have the same browser fingerprint, I thought.
> On recent versions of iOS, in-app browsers do not share data with the Safari browser.
Specifically, SFSafariViewController does not share cookies or other data with Safari anymore. Some bad actors got caught with their hands in the cookie jar, literally, and out that sharing went.
The do still share something. In response to this headline I installed the Zoom app and picked to login with Facebook. A browser popped up showing the facebook webpage and said "Login as Gregg Tavares?". Since I just installed app how did Facebook know it was me? The only possibility that comes to mind is that Safari was using cookies from some other app's embedded webview.
I believe the cookies passed into the webview are limited to a specific domain. So the app developer says “open a webview for Facebook.com” and the webview includes cookies only for the stated domain.
