TikTok in-app browser can track your keystrokes

Data privacy and security have been taking the spotlight more often over the past few years, particularly when it comes to big tech. Among them, the likes of TikTok have been heavily criticized for how it operates its platform, on more than one occasion. Now, it appears the popular short video app is on the receiving end once more. This time, it’s owing to the platform’s in-app browser.

According to privacy researcher Felix Krause, TikTok has built-in functionality that allows it to keep track of user activities. Whenever a user opens a link via TikTok’s in-app browser, the app injects a tracking code that can monitor all keystrokes including passwords and all types of taps such as specific button clicks. For example, if you visit a website on the app and proceed to enter login details, TikTok could collect that data if it chooses.

To be clear, the research doesn’t specify that TikTok actively collects keystroke data, but rather that the company has functionality built in that potentially allowed it to do so. The fact that the ability is there alone should be alarming.

🔥 New Post: Announcing InAppBrowser – see what JavaScript commands get injected through an in-app browser

👀 TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps.https://t.co/TxN1ezZX71 pic.twitter.com/pQcX5vrEXc

— Felix Krause (@KrauseFx) August 18, 2022

TikTok has since responded following Krause’s revelations, calling the conclusions about the platform incorrect and misleading. It also pointed out that the JavaScript in question is part of an SDK it’s using and that TikTok doesn’t collect any keystroke data. The company further stated that the tracking code is only used for “debugging, troubleshooting and performance monitoring” such as page load speeds and any crashes.

Furthermore, unlike many apps, TikTok doesn’t offer a means to opt out of its in-app browser. According to TikTok, doing so would mean a “clunky, less slick experience.”

This isn’t TikTok’s first time

Krause’s findings come amidst a renewed push for the Chinese-owned platform to be banned in the US over security concerns. It doesn’t help TikTok’s case when a recent Buzzfeed report revealed China had repeatedly accessed US user data, at least during the September 2021 and January 2022 period. At the time, TikTok spokesperson Maureen Shanahan responded, “We know we’re among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data.” She further mentioned, “we hire experts in their fields, continually work to validate our security standards, and bring in reputable, independent third parties to test our defenses.”

Another report from July, this time by Australian cybersecurity firm Internet 2.0, echoed similar concerns. The report states that the app collects “excessive” user data, for instance, collecting contact list info, calendar access, the ability to scan hard drives (including external) as well as geolocate devices hourly. The Australian government in response had said that it “has this report and has been well aware of these issues for some years,” as per federal minister for home affairs and cyber security, Clare O’Neil. Of course, TikTok claims the Internet 2.0 report to be baseless.

Unsurprisingly, TikTok has been caught red-handed before. Back in 2020, Apple was working on iOS 14, and on it were a few interesting security updates. One of these features notified users whenever a third-party app uses clipboard data. During the iOS 14 beta stage, users found out that the app accessed clipboard data and it even monitors every few keystrokes when running in the background. Though to be fair, TikTok wasn’t the only app that was revealed to be accessing users’ clipboard data during iOS 14 beta testing.

The growing tech privacy problem

It should be noted that TikTok isn’t the only data privacy and security violator. US-based tech companies have been tracking and collecting user data for years. One look at Google’s own records of your activity history is enough to gauge the scale of data collection by big tech. Then there are likes of Meta Facebook that has built a reputation to such an extent that it’s nearly synonymous with privacy violations (which would explain the reality of the company’s rebranding). However, now it’s looking like TikTok is fighting hard for that top spot.

Speaking of big tech and Facebook, this isn’t the first time Krause found an in-app browser issue. Krause previously reported that Instagram and Facebook could track anything a user does on a website via its in-app web browser. Facebook in response claimed the code was intentionally developed to “honor people’s App Tracking Transparency (ATT) choices on our platforms.”

We do not add pixels to websites. The code in question allows us to respect people's privacy choices by helping aggregate events (such as making a purchase online) from pixels already on websites, before those events are used for advertising or measurement purposes.

— Andy Stone (@andymstone) August 11, 2022

So what should users do? For one thing, perhaps be conscious about the links you open and more importantly, avoid opening links via in-app browsers. Most apps will have an “open in browser” or some similar option. Else, you can disable opening links inside a certain app entirely. Unfortunately, you can’t do that with TikTok, yet.

Either way, the last thing the world needs is more data harvesting and privacy violations from apps and services millions, if not billions of citizens use around the world. One only needs to look at the history of horror stories like Cambridge Analytica to understand how far this type of violation can go. Here’s hoping the worst doesn’t come to light.