“Beware of in-app browsers” is a good rule of thumb for any privacy-conscious mobile app user – given an app’s ability to leverage its grip on the user’s attention. user to spy on what you are watching through the browser software which it also controls. But the behavior of TikTok’s in-app browser is raising eyebrows after independent privacy research by developer Felix Krause found that the social network’s iOS app was injecting code that could allow it to monitor all keyboard inputs and presses. Aka, keylogging.
“TikTok iOS subscribes to every keystroke (text entries) that occurs on third-party websites rendered in the TikTok app. This may include passwords, credit card information, and other sensitive user data “Warns Krause in a blog post detailing the results. “We can’t know what TikTok uses the subscription for, but from a technical point of view, this is the equivalent of installing a keylogger on third-party websites. [emphasis his]
Krause used the tool to produce a brief benchmarking of a number of major apps that appear to place TikTok at the top of behaviors of concern to in-app browsers – due to the breadth of entries it was identified by subscribing to; and the fact that it does not offer users the option of using a default mobile browser (i.e. rather than its own in-app browser) to open web links. The latter means that there’s no way to avoid TikTok’s tracking code loading if you’re using its app to view links – the only option to avoid this privacy risk is to completely shut down its app and unplug it. ‘use a mobile browser to load the link directly (and if you can’t copy-paste it, you’ll need to be able to remember the URL to do so).
Krause is careful to point out that just because he discovered that TikTok subscribes to every keystroke a user makes on third-party sites viewed in their in-app browser doesn’t mean they’re doing “something.” of malicious” with the access – as he notes tThere is no way for outsiders to know all the details about the type of data collected or how or if it is transferred or used. But, clearly, the behavior itself raises questions and privacy risks for TikTok users.
We have contacted TikTok about the tracking code it injects into third-party sites and will update this report with any response.
Update: A company spokesperson has now sent this statement:
TikTok argues that the “keypress” and “keydown” entries identified by Krause are common entries – saying it’s incorrect to make assumptions about their use based solely on the code highlighted by the search.
To back this up, the spokesperson pointed to the same non-TikTok code from GitHub which they claim would trigger the exact same response cited by the search as evidence of incorrect data collection, but is instead used to trigger a known command. under the name ‘StopListening’ which they claim would specifically prevent an application from capturing what is typed.
TikTok’s spokesperson also told us that it doesn’t offer users the option to opt out of its in-app browser because doing so would require directing them outside of the app, which, according to them, would make the experience clunky and less fluid.
They also reiterated an earlier public denial from TikTok that it engages in keystroke logging (i.e. content capture), but suggested it could use keystroke information to detect unusual patterns or rhythms, such as whether each letter typed is exactly 1 keystroke per second, to help protect against fake logins, spammy comments, or other behavior that could threaten the integrity of its platform.
TikTok’s spokesperson went on to suggest that the level of data collection it engages in is akin to other apps that also collect information about what users are looking for in the app to be able to recommend a relevant content and personalize the service.
They confirmed that users who browse web content in its app are tracked for similar personalization, such as selecting relevant videos to display in their For You feed. TikTok may also collect user activity data elsewhere, on advertisers’ apps and websites, when those third-party companies choose to share that data with it, they further noted.
Meta-owned apps Instagram, Facebook and FB Messenger have also been found by Krause to modify third-party sites loaded through their in-app browsers – with “potentially dangerous” commands, as he puts it – and we’ve also approached the tech giant for a response to the findings.
Privacy and data protection are regulated in the European Union, by laws such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive, so any tracking of users in the region that does not have of an appropriate legal basis could lead to a regulatory sanction.
The two social media giants have already been the subject of various EU proceedings, investigations and enforcement actions relating to privacy, data and consumer protection in recent years – with a number of ongoing inquiries. and impending major decisions.