A security researcher has raised alarms about the TikTok browser embedded in the popular app, presenting evidence that it is capable of tracking keystrokes. The company responded to the report by confirming that the ability exists within the app’s code, but that it is not active and that it is only used internally for debugging and testing purposes.
Security researcher Felix Krause, a former Google engineer, notes that even having this ability present in an app is highly unusual and something that is usually only done by malware and spyware. Though TikTok does not appear to be actively tracking keystrokes at present, it is possible for it to do so when the user clicks on an external link within the app.
A number of messaging and retail apps have incorporated integrated web browsers to keep users within the app when following external links included in product promotions or posted by other users. The app browser will generally activate when the user clicks on a link within the app.
Krause presented the research as part of his promotion for InAppBrowser.com, a new service that identifies what JavaScript commands these in-app browsers are injecting when web pages are loaded. Other major browsers of this type both modify the web page and insert some sort of JavaScript: Instagram, Facebook, Facebook Messenger and Amazon being the biggest examples. But most of these are for non-malicious purposes, such as integrating app features and functionality with the external web page. The TikTok browser was the only one studied that was found to have the capability of tracking keystrokes, something that could be used to capture user login credentials, credit card numbers and private messages.
Some other apps, such as Instagram, monitor everything the user taps on or selects for advertising and analytics purposes. The TikTok browser goes a step further by monitoring every keyboard input along with all taps and highlights/selections. It is common for app developers to implement tools for tracking keystrokes while they are testing the app during development, as TikTok claims this is for, but this functionality is nearly always removed in the final public product. Krause said that he could not find evidence that the TikTok browser was actively logging information, but that it was also not possible to rule out the possibility.
This is the second incident for TikTok involving questionable and invasive logging in recent years. In 2020, the app was found to be constantly scanning iOS clipboards for text or items that were cut/copied and pasted. In March of 2020 TikTok declared that it would remove this from the app, but follow-up studies later in the year found that it was still going on.
The TikTok browser is just the latest security and privacy issue that has emerged, as the company is already under long-running scrutiny dating back to its inception as Musical.ly. Over time, the issues with TikTok have evolved from how it handles the personal data of minors on the platform to how much access its staff in China (and by extension the national government) may have to users in the US and other countries. A recent internal leak from the company exposed engineers, staff and contractors discussing access to US user information by engineers based in China, a possibility that was supposed to have been eliminated when TikTok was threatened with deplatforming by the Trump administration.
While it is impossible to say with certainty if TikTok is tracking keystrokes for the purpose of logging information, the company has said that it analyzes the pace and cadence of typing as a means of detecting bot activity and other security risks (the company says that automated scripts sometimes have telltale signs of this nature, like always appearing to press keys at uniform time intervals). The TikTok browser report is already drawing some regulatory scrutiny, however, with Ireland’s Data Protection Commission saying that the findings have prompted a meeting with both TikTok and Meta about the issue.
Defending against these pieces of hidden code (and the possibility of apps tracking keystrokes through them) can be as simple as only opening web links in a trusted browser, such as Safari, but most of the embedded app browsers make this at least somewhat difficult. For example, both TikTok and Meta’s family of apps require you to first open their in-app browser to change the settings and have an external browser open links instead. It can also require some combing through menus to find these settings. Krause’s InAppBrowser can also check these in-app browsers for the possible insertion of JavaScript, but he notes that this code can also be hidden.
About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
News, insights and resources for data protection, privacy and cyber security professionals.
About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data