TikTok's In-App Browser Reportedly Capable of Monitoring Anything You Type

[fontman]

TikTok's custom in-app browser on iOS reportedly injects JavaScript code into external websites that allows TikTok to monitor "all keyboard inputs and taps" while a user is interacting with a given website, according to security researcher Felix Krause, but TikTok has reportedly denied that the code is used for malicious reasons.

Krause said TikTok's in-app browser "subscribes" to all keyboard inputs while a user interacts with an external website, including any sensitive details like passwords and credit card information, along with every tap on the screen.

"From a technical perspective, this is the equivalent of installing a keylogger on third party websites," wrote Krause, in regards to the JavaScript code that TikTok injects. However, the researcher added that "just because an app injects JavaScript into external websites, doesn't mean the app is doing anything malicious."

In a statement shared with Forbes, a TikTok spokesperson acknowledged the JavaScript code in question, but said it is only used for debugging, troubleshooting, and performance monitoring to ensure an "optimal user experience."

"Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes," the statement said, according to Forbes.

Krause said users who wish to protect themselves from any potential malicious usage of JavaScript code in in-app browsers should switch to viewing a given link in the platform's default browser if possible, such as Safari on the iPhone and iPad.

"Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser," wrote Krause. "During this analysis, every app besides TikTok offered a way to do this."

Facebook and Instagram are two other apps that insert JavaScript code into external websites loaded in their in-app browsers, giving the apps the ability to track user activity, according to Krause. In a tweet, a spokesperson for Facebook and Instagram parent company Meta said that the company "intentionally developed this code to honor people's App Tracking Transparency (ATT) choices on our platforms."

Krause said he created a simple tool that allows anyone to check if an in-app browser is injecting JavaScript code when rendering a website. The researcher said users simply need to open an app they wish to analyze, share the address InAppBrowser.com somewhere inside the app (such as in a direct message to another person), tap on the link inside the app to open it in the in-app browser, and read the details of the report shown.

Apple did not immediately respond to a request for comment.

Article Link: TikTok's In-App Browser Reportedly Capable of Monitoring Anything You Type

I think this has been a known fact for quite a while and it is a very addicting app that they generate millions of dollars in algorithm revenue not to mention all your personal data

 

[amartinez1660]

So when is apple taking it off the store? I heard they were all about privacy?

Apple is all about money now.

I think since this topic has been politically charged before, anybody that said or took a stance (against or in favor) some time ago will just bite it and roll with it even if the final outcome happened to be detrimental for themselves, their users and society as a whole.

This isn’t a critique, just saying that it is what it is, as it is often the case that it’s all about “I want to be (or look like or convince to be) right” against all costs. As of now, TikTok isn’t going anywhere.

 

[Cromulent]

I have a few videos on TikTok but don't use it much. All social media sites suck, though, when it comes to privacy.

 

[ghostface147]

Why anyone has this obvious CCP spyware installed on their devices is beyond me.

Why anyone who uses anything google, social media or VPN on iOS is beyond me.

 

[icanhazmac]

What? I never would have expected something like this from the Chinese Communist Party. I'm shocked!

/s

 

[JM]

So when is apple taking it off the store? I heard they were all about privacy?

Well. That was the idea. Never fully happened though.

Fascinating read if you have 5-10 minutes (Wiki link below). It talks about the previous and current US administrations, politicians, defense wings, etc.

There’s a lot of info in there, and as usual, it’s much more complex than what’s reported.

Donald Trump–TikTok controversy - Wikipedia

en.m.wikipedia.org

 

[xbjllb]

Add to my already long list of Chinese garbage I don't have, want, or need.

Thanks for the heads up.

 

[JM]

Why anyone who uses anything google, social media or VPN on iOS is beyond me.

Yah really had to twist that knife with the VPN reference, didn’t you? lol 🤣

 

[nlkccom]

I can’t believe anyone is surprised about this. How do you think they make money? 🙄

 

[madrigal77]

I mean it's a Chinese government spy app. What do you expect!?!?

 

[_Spinn_]

And then everything is beamed back to the CCP. At this point why is anyone surprised that these kinds of companies are spying on everything you do?

 

[JM]

This is why I hate in-app browser. Let's face it, Google, Facebook, they all do/did it, which is why they're insistence in forcing users to remain in their app with these in-app browser "experience." This is an issue on Android as well, where Google searches on Google app are sticking with Chrome/in-app browser by default even if I have another browser as my default browser.

There are always shenanigans like this. I wish for Apple to simply disable in-app browsers, and force any links to just use the default browser externally.

For real. In-app browser never gives me any confidence that the privacy extensions I have for safari are working.

 

[anakin44011]

It's owned by a Chinese company with alleged ties to the CCP. If you're concerned about it, don't use it. It's quite simple.

Um...spoken like a person who doesn't have kids.

Next you'll tell me I shouldn't allow those f**king Chromebooks in my house...both of my kids have an M1 MacBook Air, yet some of the school software won't run on the MacOS, even within the Chrome browser. So they have to use those f**king Chromebooks to get their homework done.

The sad fact is that, for many, the choice isn't simple. Don't want your kids on Twitter? Teachers post assignments on it. Don't want your kids on SnapChat? That's where their friends communicate. I hate social media platforms...but without them, you might as well send your kids to a leper colony and hope they learn to appreciate solo basket-weaving.

And by the time the regulators catch up to these shenanigans, millions will be compromised.

Today, we read about how early industrial companies unapologetically polluted our water and air and think "wow, how could they have let that happen!?!". In 20 years, historians will not be kind when describing a society that glorified unregulated unicorns and exponentially scalable platforms without guardrails.

We are a silly little species. We learn very, very slowly.

 

[winxmac]

Facebook, Instagram, WhatsApp, Twitter, TikTok, and other social networking sites/social media, then Tile, Life360, and others, all gathering data to sell it to others as part of their income generation... And even if you never had an account, you are still tracked...

Is there anything worth trusting anymore?

 

[temende]

Is there anything worth trusting anymore?

I trust FileVault on my Mac and Apple's biometric solutions like Touch ID and Face ID. But that's about it.

 

[EnzoFerrari]

TikTok's custom in-app browser on iOS reportedly injects JavaScript code into external websites that allows TikTok to monitor "all keyboard inputs and taps" while a user is interacting with a given website, according to security researcher Felix Krause, but TikTok has reportedly denied that the code is used for malicious reasons.

Krause said TikTok's in-app browser "subscribes" to all keyboard inputs while a user interacts with an external website, including any sensitive details like passwords and credit card information, along with every tap on the screen.

"From a technical perspective, this is the equivalent of installing a keylogger on third party websites," wrote Krause, in regards to the JavaScript code that TikTok injects. However, the researcher added that "just because an app injects JavaScript into external websites, doesn't mean the app is doing anything malicious."

In a statement shared with Forbes, a TikTok spokesperson acknowledged the JavaScript code in question, but said it is only used for debugging, troubleshooting, and performance monitoring to ensure an "optimal user experience."

"Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes," the statement said, according to Forbes.

Krause said users who wish to protect themselves from any potential malicious usage of JavaScript code in in-app browsers should switch to viewing a given link in the platform's default browser if possible, such as Safari on the iPhone and iPad.

"Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser," wrote Krause. "During this analysis, every app besides TikTok offered a way to do this."

Facebook and Instagram are two other apps that insert JavaScript code into external websites loaded in their in-app browsers, giving the apps the ability to track user activity, according to Krause. In a tweet, a spokesperson for Facebook and Instagram parent company Meta said that the company "intentionally developed this code to honor people's App Tracking Transparency (ATT) choices on our platforms."

Krause said he created a simple tool that allows anyone to check if an in-app browser is injecting JavaScript code when rendering a website. The researcher said users simply need to open an app they wish to analyze, share the address InAppBrowser.com somewhere inside the app (such as in a direct message to another person), tap on the link inside the app to open it in the in-app browser, and read the details of the report shown.

Apple did not immediately respond to a request for comment.

Article Link: TikTok's In-App Browser Reportedly Capable of Monitoring Anything You Type

All about privacy he? Lmfaoooo

 

[syklee26]

Why is anyone surprised by this?

I would also not be surprised if Facebook has similar feature embedded on Facebook and Instagram, as well.

 

[1557750]

Never used it, but not surprised in the least. I’m sure it’s in the fine print somewhere that they’re allowed to do so, along with getting custody of your children if anything happens to you.

But just press that button to accept terms quick like and in a hurry, so you can start recording and get those likes and follows.

 

[kaycrystal626]

Do you mean Facebook or any other social platforms doing the same?

 

[Rocko99991]

Shocking-the most retched app doing horrible things.

 

[Makosuke]

Facebook and Instagram are two other apps that insert JavaScript code into external websites loaded in their in-app browsers, giving the apps the ability to track user activity, according to Krause. In a tweet, a spokesperson for Facebook and Instagram parent company Meta said that the company "intentionally developed this code to honor people's App Tracking Transparency (ATT) choices on our platforms."

You can basically sum up this Meta PR statement as "Pawn shop says they developed a better lock pick to honor police request to stop selling stolen goods."

It must take a particular level of Orwellian soullessness to issue a statement that blatantly self-contradictory with a straight face.

 

[JM]

Never used it, but not surprised in the least. I’m sure it’s in the fine print somewhere that they’re allowed to do so, along with getting custody of your children if anything happens to you.

But just press that button to accept terms quick like and in a hurry, so you can start recording and get those likes and follows.

And if you don’t join, then they’ll cast you out. Like a leper!

You see, their morals, their code, it's a bad joke. Dropped at the first sign of trouble. They're only as good as the world allows them to be. I'll show you. When the chips are down, these... these civilized people, they'll eat each other.

 

[hydropsyche]

If you're worried about privacy get an android or linux privacy phone. I got rid of my iphone, iwatch, and ipad because of Apples bluetooth spy network and future on-device file spying.

 

[JM]

If you're worried about privacy get an android or linux privacy phone. I got rid of my iphone, iwatch, and ipad because of Apples bluetooth spy network and future on-device file spying.

Linux phone?? 🫢 be still my heart.

Long live webOS.

 

[Steve121178]

Social Media is a scummy hellhole, and people that use it get what they deserve.

Ridiculous post. They only get what they deserve if they know it's there & continue to use it. No one agreed to key logging when they installed the app, so it's not really the users fault is it?