TikTok refutes researcher’s claims that in-app browser tracks keystrokes
Security researcher Felix Krause says TikTok, alongside Meta Platforms apps, can modify the code of websites loaded through in-app browsers
A new analysis has revealed that some popular apps can track user data while using in-app browsers.
TikTok’s behavior was of particular concern, according to security researcher Felix Krause, who says the short-form video platform’s iOS app has code that allows it to monitor all taps and taps on the screen, including text entries such as passwords and credit card information.
“TikTok iOS subscribes to every keystroke (text entries) that occurs on third-party websites rendered in the TikTok app,” Krause wrote in a blog post published Aug. 18. “We can’t know what TikTok uses the subscription for, but from a technical perspective, it’s equivalent to installing a keylogger on third-party websites.
This would have been revealed when Krause analyzed the code behind popular platforms’ apps.
As mentioned earlier, TikTok’s behavior was supposed to be of most concern due to the breadth of inputs it tracks and the lack of an option for users to use their default browsers. This means that there is no way for users to avoid tracking if they want to open a link on the app except by copying the link itself and pasting it into another browser or typing manually the URL, if the other method is not possible.
Krause stresses, however, that this doesn’t necessarily mean TikTok is doing “anything malicious” with the data it collects and has access to. Yet the behavior itself raises questions about the privacy of platform users.
A TikTok spokesperson said the platform is not committing any wrongdoing, telling TechCrunch that Krause’s conclusions were “incorrect and misleading,” while confirming that these features exist in code.
The spokesperson added that the option to use a different browser is not available because it would require directing users out of the app, which the company says compromises the experience.
TikTok also suggested that its data collection practices are no different from those of other platforms, focusing primarily on what users search for and view on the app to suggest relevant content for them. The company acknowledged that users browsing the web on the platform are tracked, but only for personalization purposes.
Krause says that Meta’s platforms, namely Facebook, Instagram and Messenger, all similarly modify the code of websites loaded through in-app browsers.
Despite these findings, the researcher reassured iOS users that Apple’s software is still more secure than Android when it comes to privacy. He notes that apps such as Twitter, YouTube, Gmail, Reddit and WhatsApp, among others, follow the iPhone manufacturer’s recommendation to use Safari or the system’s default browser to open external websites. – Rappler.com