‘Beware in-app browsers’ is a good rule of thumb for any privacy conscious mobile app user — given the potential for an app to leverage its hold on user attention to snoop on what you’re looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok’s in-app browser after independent privacy research by developer Felix Krause found the social network’s iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging.
“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data,” warns Krause in a blog post detailing the findings. “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.” [emphasis his]
Krause has used the tool to produce a brief, comparative analysis of a number of major apps which appears to put TikTok at the top for concerning behaviors vis-a-vis in-app browsers — on account of the scope of inputs it’s been identified subscribing to; and the fact it does not offer users an option to use a default mobile browser (i.e. rather than its own in-app browser) to open web links. The latter means there’s no way to avoid TikTok’s tracking code from being loaded if you use its app to view links — the only option to avoid this privacy risk is to cut out of its app altogether and use a mobile browser to directly load the link (and if you can’t copy-paste it you’ll have to be able to remember the URL to do that).
Krause is careful to point out that just because he has found TikTok is subscribing to every keystroke a user makes on third party sites viewed inside its in-app browser does not necessarily mean it’s doing “anything malicious” with the access — as he notes there’s no way for outsiders to know the full details on what kind of data is being collected or how or if it’s being transferred or used. But, clearly, the behavior itself raises questions and privacy risks for TikTok users.
We reached out to TikTok about the tracking code it’s injecting into third party sites and will update this report with any response.
Meta-owned apps Instagram, Facebook and FB Messenger, were also found by Krause to be modifying third party sites loaded via their in-app browsers — with “potentially dangerous” commands, as he puts it — and we’ve also approached the tech giant for a response to the findings.
Privacy and data protection are regulated in the European Union, by laws including the General Data Protection Regulation and the ePrivacy Directive, so any tracking being undertaken of users in the region that lacks a proper legal base could lead to regulatory sanction.
Both social media giants have already been subject to a variety of EU procedures, investigations and enforcements around privacy, data and consumer protection concerns in recent years — with a number of probes ongoing and some major decisions looming.