TikTok’s in-app browser can monitor your keystrokes, researcher says
TikTok’s in-app browser has the ability to monitor certain types of user activity on external websites it accesses, according to new research.
According to a study published Thursday by Felix Krause, a Vienna-based software researcher, when TikTok users access a website through a link in the TikTok app, the app inserts a code into the website that allows TikTok to monitor activity such as keystrokes and what users type on this site.
This could allow TikTok to capture personal information about users, such as credit card numbers and passwords, although the company claims not to do so. The app is able to insert the code and modify websites to enable this monitoring because the sites are opened in TikTok’s built-in browser, rather than a standard browser like Chrome or Safari.
“It was an active choice that the company made,” Krause told Forbes, which first reported the results. “This is a non-trivial engineering task. It does not happen by mistake or by chance.” Krause is the founder of app testing company Fastlane, which Google acquired five years ago
TikTok released a statement calling the report’s findings “incorrect and misleading,” noting that Krause specifically says in the report that the existence of the code does not mean the app is doing anything malicious.
“Contrary to the report’s claims, we do not collect typing or text input through this code, which is only used for debugging, troubleshooting, and performance monitoring,” the company said in its statement.
TikTok added that the code is part of a third-party software development kit, or SDK, a set of tools used to build or maintain apps, and that the SDK includes features that TikTok does not use.
The news comes amid long-standing security and oversight concerns over the TikTok app and its ownership by the. Some US officials say TikTok threatens national security because ByteDance could share data about Americans collected through the app with the Chinese government, which could then weaponize it against Americans. TikTok has repeatedly said it would never do this.
Krause’s research covered more than TikTok. In total, he tested seven iPhone apps that use built-in browsers, including TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon and Robinhood. Of these, TikTok is the only one that appears to monitor keystrokes, Krause said. Krause has not tested the Android version of TikTok’s app.