TikTok's In-App Browser Reportedly Capable of Monitoring Anything You Type

[MacRumors]

TikTok's custom in-app browser on iOS reportedly injects JavaScript code into external websites that allows TikTok to monitor "all keyboard inputs and taps" while a user is interacting with a given website, according to security researcher Felix Krause, but TikTok has reportedly denied that the code is used for malicious reasons.

Krause said TikTok's in-app browser "subscribes" to all keyboard inputs while a user interacts with an external website, including any sensitive details like passwords and credit card information, along with every tap on the screen.

"From a technical perspective, this is the equivalent of installing a keylogger on third party websites," wrote Krause, in regards to the JavaScript code that TikTok injects. However, the researcher added that "just because an app injects JavaScript into external websites, doesn't mean the app is doing anything malicious."

In a statement shared with Forbes, a TikTok spokesperson acknowledged the JavaScript code in question, but said it is only used for debugging, troubleshooting, and performance monitoring to ensure an "optimal user experience."

"Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes," the statement said, according to Forbes.

Krause said users who wish to protect themselves from any potential malicious usage of JavaScript code in in-app browsers should switch to viewing a given link in the platform's default browser if possible, such as Safari on the iPhone and iPad.

"Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser," wrote Krause. "During this analysis, every app besides TikTok offered a way to do this."

Facebook and Instagram are two other apps that insert JavaScript code into external websites loaded in their in-app browsers, giving the apps the ability to track user activity, according to Krause. In a tweet, a spokesperson for Facebook and Instagram parent company Meta said that the company "intentionally developed this code to honor people's App Tracking Transparency (ATT) choices on our platforms."

Krause said he created a simple tool that allows anyone to check if an in-app browser is injecting JavaScript code when rendering a website. The researcher said users simply need to open an app they wish to analyze, share the address InAppBrowser.com somewhere inside the app (such as in a direct message to another person), tap on the link inside the app to open it in the in-app browser, and read the details of the report shown.

Apple did not immediately respond to a request for comment.

Update: A spokesperson for TikTok issued the following statement to MacRumors.

"The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring."

According to the TikTok spokesperson, the JavaScript code is part of a software development kit (SDK) that TikTok is leveraging, and the "keypress" and "keydown" functions mentioned by Krause are common inputs that TikTok does not use for keystroke logging.

Article Link: TikTok's In-App Browser Reportedly Capable of Monitoring Anything You Type

 

[sniffies]

TikTok is a tikking bomb that needs to be defused ASAP.

 

[macaddict06]

<shocked pikachu face>

 

[robbo_syd]

The frustrating thing here is that despite Apple's PR about being best at privacy, it's their own SDK elements that continue to offer up all these work arounds and hacks to apps to gain more privacy...the in app browser is still provided by iOS, just DONT ALLOW THE HOOKS!!

 

[DHagan4755]

It's owned by a Chinese company with alleged ties to the CCP. If you're concerned about it, don't use it. It's quite simple.

 

[ian87w]

This is why I hate in-app browser. Let's face it, Google, Facebook, they all do/did it, which is why they're insistence in forcing users to remain in their app with these in-app browser "experience." This is an issue on Android as well, where Google searches on Google app are sticking with Chrome/in-app browser by default even if I have another browser as my default browser.

There are always shenanigans like this. I wish for Apple to simply disable in-app browsers, and force any links to just use the default browser externally.

 

[bigandtasty]

We were told TikTok was shady and monitoring people almost 2 years ago. Nothing surprising here.

 

[TheYayAreaLiving 🎗️]

I once said, never to trust Facebook. Now I’m going to say, Never trust TikTok.

 

[rpmurray]

Social Media is a scummy hellhole, and people that use it get what they deserve.

 

[TheDailyApple]

I don't believe anyone is surprised.

 

[Villarrealadrian]

So when is apple taking it off the store? I heard they were all about privacy?

 

[Moonlight]

TikTok is spyware

 

[d5aqoëp]

So when is apple taking it off the store? I heard they were all about privacy?

Apple is all about money now.

 

[SeenJeen]

Why anyone has this obvious CCP spyware installed on their devices is beyond me.

 

[a.phoenicis]

The frustrating thing here is that despite Apple's PR about being best at privacy, it's their own SDK elements that continue to offer up all these work arounds and hacks to apps to gain more privacy...the in app browser is still provided by iOS, just DONT ALLOW THE HOOKS!!

If Apple did further lock down in-app browsers, all that would do is get the "Apple-is-evil!-something-something-walled-garden!-something-something-sideloading-or-die!" crowd riled up to 11.

 

[JosephAW]

What other apps have in app browsers?

Oh wait, I’m using Safari, Brave, DDG, FF. are they spying on me to?

 

[temende]

I'm not falling for another ad-based social media ploy again. **** TikTok.

 

[legatoboy]

I think after reading the article I am less worried about the vulnerability. But I am now more aware of the danger of using inapp browser.

Tiktok and other apps that have this feature should have it turned off unless there is a support case opened and users require assistant. They need to respect users online privacy. They are not privacy conscious when it comes to app design and support.

It’s like saying “oh, i leave the backdoor open so I can debug anytime I want.” That’s insane.

 

[cvam1985]

It's owned by a Chinese company with alleged ties to the CCP. If you're concerned about it, don't use it. It's quite simple.

What classifies as ties to the CCP? Don’t you think Apple has them? With all of their factories and contractors in China, surely it is so. CCP has ties with every major corporation you deal with on the daily. TikTok is probably just one of the more blatant because it involves surveillance and sucking up your information.

 

[FNH15]

What classifies as ties to the CCP? Don’t you think Apple has them? With all of their factories and contractors in China, surely it is so. CCP has ties with every major corporation you deal with on the daily. TikTok is probably just one of the more blatant because it involves surveillance and sucking up your information.

TikTok’s owner is helping China’s campaign of repression in Xinjiang, report finds

The report also implicates Huawei, a Chinese company at the center of national security concerns.

www.washingtonpost.com

Goes much deeper than just having manufacturing plants based over there.

 

[a.phoenicis]

What other apps have in app browsers?

Um... virtually every "social" or "social-adjacent" app opens links in in-app browsers, and I'm sure they're all doing things nearly as scummy. Social Media itself as an industry should be the thing that regulators are going after.

 

[jonnyb098]

It wont be banned till after it’s used for election purposes…

 

[JM]

It's owned by a Chinese company with alleged ties to the CCP. If you're concerned about it, don't use it. It's quite simple.

If only it were that easy.

TikTok is this generation’s Instagram, which was that gen’s facebook, which was that gen’s facebook, which was that gen’s MySpace, which was that gen’s internet 1.0 chat rooms/forums, which was that gen’s weekend night meetups? Sleepovers? The roller rink? (I don’t know, pick your internet-less fun social activity.)

Social Media has hooked society good, and it would take a massive asteroid or solar flare to shut down electronics for society to stop using TikTok (or whatever the next hip social media app is).

Call me a conspiracist on this, but I believe TikTok was created to collect social behavior information and manipulate behavior/thought. ☹️

 

[SeenJeen]

What classifies as ties to the CCP? Don’t you think Apple has them? With all of their factories and contractors in China, surely it is so. CCP has ties with every major corporation you deal with on the daily. TikTok is probably just one of the more blatant because it involves surveillance and sucking up your information.

Zhang Fuping is a CCP secretary and is VP at ByteDance (TikTok's parent company.) CCP also has minority stake in ByteDance and is on their board.

Is CCP on Apple's board?

 

[smoking monkey]

Haha! The most obvious thing ever has just been confirmed.
This isn’t just Tiktok, it’s all social media.
Delete Twitter Facebook, Instagram. None of it makes us happier and that’s a scientific fact.