Non-deletable cookies on social media

Created 6. July 2023

Websites can set indelible cookies when they are accessed from a social media app. The reason is a technology that many users are completely unaware of.

On Twitter, LinkedIn and other social media, the majority of posted messages are not text, images or video, but shared links to external websites. The platforms don't like that at all, because it leads users away from their offerings.

Fortunately, on smartphones (where usage is greater than on desktops anyway), there is a trick used by almost all social media apps:

Clicking on an external link does not open a new app (the smartphone's regular web browser - i.e. Safari on iOs, Chrome on Android), but a so-called webview. This is a browser window that is integrated into the app. The underlying technology still comes from Safari or Chrome, but the Webview has a number of advantages for the social media platform and consequences for users.

1️⃣ One does not leave the app

If the external website is opened in a new app, then there is a real risk of not clicking back to the social network. This can't happen with the webview, because the website then looks more like a subsection of the app, as you can see in the following screenshot using LinkedIn as an example. The area of the webview is marked in red:

2️⃣ The app controls the webview

As Internet entrepreneur Felix Krause has demonstrated, some apps inject Javascript code into the webview. This makes it possible to add additional tracking or even tap the user's keystrokes.

Cookies can not be deleted

One side effect of using Webviews is probably not intended by the app operators, nor would they have much to gain from it: cookies cannot be removed from Webviews by deleting them.

The history and data storage of the browser app can be easily deleted - this is useful, for example, if you, like me, close every cookie banner with "Accept all" for convenience. On iOs there is a corresponding option under "Settings / Safari", Android offers a comparable function.

However, this is not the case for cookies in Webview. You are welcome to try it, we have prepared a test page for it: If you open the following URL in the smartphone and reload it, it will show when it was first visited:

If you delete the history and website data as described above and open the page again, the date of the (supposed) first visit will also change.

This no longer works if you open the page from a social media app. I've linked to it in this LinkedIn post:

For you to see the effect, you need to have the LinkedIn or Twitter apps installed on your smartphone, and after clicking on those links, the respective app should open with the post.

If you close the app and go to the two post again and follow the link to the test page, then the date shown will not change. Clearing the history in the browser does not change that, whenever you navigate to that page via the social media app, the cookie is detected and the date of the first visit is displayed.

Conclusion: Careful when accepting cookies

Within social media apps, it is worthwhile to reject all cookies in the cookie banner when calling up websites, because once they have been set, they can no longer be deleted.

Back to overview