TikTok refutes researcher’s claims that in-app browser tracks keystrokes

A new analysis revealed that some popular apps can track user data while using in-app browsers.

TikTok’s behavior was especially concerning, according to security researcher Felix Krause, who claims the short-form video platform’s iOS app has a code that allows it to monitor all keystrokes and taps on the screen, including text inputs like passwords and credit card information.

“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app”, wrote Krause in a blog post published on August 18. “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”

He explains that any link the user clicks on TikTok, including ads, opens within the in-app browser instead of the system’s default browser like Chrome or Safari. The app then injects JavaScript code onto the website that enables it to start keylogging the user.

This was supposedly revealed when Krause analyzed the code behind the apps of popular platforms.

Krause also created a tool, called InAppBrowser.com, which lets mobile app users check the code injected by in-app browsers themselves, though it doesn’t list all JavaScript commands. He used this tool to compare the behaviors of different apps when it comes to in-app browsers.

As previously mentioned, TikTok’s behavior supposedly was the most concerning due to the scope of the input it tracks and the lack of an option for users to use their default browsers. This means there’s no way users can avoid tracking if they want to open a link on the app, except by copying the link itself and pasting it on another browser or manually typing the URL, if the other method is not possible.

Krause does however point out that this doesn’t necessarily mean TikTok is doing “anything malicious” with the data it collects and has access to. Still, the behavior itself does raise some questions about the privacy of the platform’s users.

A TikTok spokesperson said the platform isn’t engaging in any wrongdoing, telling TechCrunch that Krause’s conclusions are “incorrect and misleading,” while confirming those features do exist in the code.

“The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects,” said the spokesperson. “Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”

The spokesperson added that the option to use a different browser is not available because it would require directing users out of the app, which the company thinks compromises the experience.

TikTok also suggested that its data-collection practices are no different from that of other platforms, focusing mainly on what users search and view on the app to suggest relevant content for them. The company did concede that users browsing the web on the platform are being tracked but only for personalization purposes.

Krause says Meta’s platforms, namely Facebook, Instagram, and Messenger are all similarly modifying the code of websites loaded via the in-app browsers.

Despite these findings, the researcher did reassure iOS users that Apple’s software is still safer than Android, when it comes to privacy. He notes apps like Twitter, YouTube, Gmail, Reddit, and WhatsApp, among others, follow the iPhone maker’s recommendation of using either Safari or the system’s default browser for opening external websites. – Rappler.com