A security researcher has raised alarms about the TikTok browser embedded in the popular app, presenting evidence that it is capable of tracking keystrokes. The company responded to the report by confirming that the ability exists within the app’s code, but that it is not active and that it is only used internally for debugging and testing purposes.
Security researcher Felix Krause, a former Google engineer, notes that even having this ability present in an app is highly unusual and something that is usually only done by malware and spyware. Though TikTok does not appear to be actively tracking keystrokes at present, it is possible for it to do so when the user clicks on an external link within the app.
A number of messaging and retail apps have incorporated integrated web browsers to keep users within the app when following external links included in product promotions or posted by other users. The app browser will generally activate when the user clicks on a link within the app.
Some other apps, such as Instagram, monitor everything the user taps on or selects for advertising and analytics purposes. The TikTok browser goes a step further by monitoring every keyboard input along with all taps and highlights/selections. It is common for app developers to implement tools for tracking keystrokes while they are testing the app during development, as TikTok claims this is for, but this functionality is nearly always removed in the final public product. Krause said that he could not find evidence that the TikTok browser was actively logging information, but that it was also not possible to rule out the possibility.
This is the second incident for TikTok involving questionable and invasive logging in recent years. In 2020, the app was found to be constantly scanning iOS clipboards for text or items that were cut/copied and pasted. In March of 2020 TikTok declared that it would remove this from the app, but follow-up studies later in the year found that it was still going on.
The TikTok browser is just the latest security and privacy issue that has emerged, as the company is already under long-running scrutiny dating back to its inception as Musical.ly. Over time, the issues with TikTok have evolved from how it handles the personal data of minors on the platform to how much access its staff in China (and by extension the national government) may have to users in the US and other countries. A recent internal leak from the company exposed engineers, staff and contractors discussing access to US user information by engineers based in China, a possibility that was supposed to have been eliminated when TikTok was threatened with deplatforming by the Trump administration.
While it is impossible to say with certainty if TikTok is tracking keystrokes for the purpose of logging information, the company has said that it analyzes the pace and cadence of typing as a means of detecting bot activity and other security risks (the company says that automated scripts sometimes have telltale signs of this nature, like always appearing to press keys at uniform time intervals). The TikTok browser report is already drawing some regulatory scrutiny, however, with Ireland’s Data Protection Commission saying that the findings have prompted a meeting with both TikTok and Meta about the issue.
News, insights and resources for data protection, privacy and cyber security professionals.
Do Not Sell My Data