TikTok’s iOS app’s in-app browser was found to be injecting code that could allow the app to monitor all keyboard input and taps, also known as keylogging.
The revelation comes after developer Felix Krause ran independent privacy research as part of the development process for InAppBrowser.com, a tool to list JavaScript commands executed by an iOS app rendering a web page. Note that the tool doesn’t necessarily pick up all JavaScript commands being run nor can it detect any tracking done using native code inside the app.
Krause also published a report last week highlighting how Facebook and Instagram’s in-app browsers have the potential to track users. The findings about TikTok came later as the developer was testing his new tool to compare seven major iOS apps’ in-app browsers. TikTok seems to have taken the crown when it comes to concerning behaviour.
According to Krause’s tool, TikTok’s iOS app subscribes to every keystroke or text input that takes place on third-party websites that are rendered inside the app. This can include passwords, credit card information and other sensitive user data the user types.
Update [20/08/22]: TikTok has responded to Krause’s warnings stating that the report’s findings about the app are “incorrect and misleading”. They reiterated the fact that Krause himself stated in his report that there’s no way to tell what kind of data TikTok’s in-app browser is collecting and whether or not the inserted JavaScript is actually being used for malicious purposes.
The company claims that this code is solely being used for debugging, troubleshooting and performance monitoring.
While we don’t know what TikTok does with this data, this is similar to installing a keylogger for third-party websites. Krause also pointed out that just because TikTok is subscribing to every keystroke, that doesn’t necessarily mean it’s doing something malicious with its access. That said, there’s no way for outsiders to know for sure what kind of data is being collected, how the data collection works and how it’s being transferred and used.
Other apps included in the research were Facebook. Messenger, Instagram, Amazon, Snapchat and Robinhood. Out of these seven apps, only TikTok doesn’t give the user an option to open an external link in the phone’s default browser.
Meta-owned apps. Facebook, Messenger and Instagram injected JavaScript code to modify the page and fetch metadata while Amazon only used JavaScript to fetch metadata. Snapchat and Robinhood were the safest of the bunch with the in-app browsers not injecting any JavaScript at all.
In the News: VPN apps don’t work well on iOS