



According to new research by software engineer Felix Krause, TikTok has the ability to track every tap on the screen, like entering a password or clicking a link, while browsing in its iOS app.

In-app browsing refers to activity on third-party sites that open within the app rather than in an external window.

On Thursday, Krause released a report examining the JavaScript code that social media platforms inject into third-party sites, allowing them to track user activity.

Krauses security tool InAppBrowser.com has revealed that the TikTok iOS app has the ability to monitor all keystrokes, text inputs and screen taps. This may include sensitive personal data such as credit card information and passwords.

However, Klaus said just because an app injects JavaScript into an external website doesn’t mean the app is doing something malicious.

There is no way to know the full details of what data each in-app browser collects or how it is transferred or used.

When you open a website from within the TikTok iOS app, we insert code that can monitor all keyboard input (which may include credit card details, passwords, or other sensitive information).

TikTok also has code that monitors all taps, including button and link clicks. pic.twitter.com/Dcv0N4ccKD

— Felix Krause (@KrauseFx) August 18, 2022

Priyadarsi Nanda, from the Department of Electrical and Data Engineering, University of Technology, Sydney, said collecting information about keystrokes is very similar to how keyloggers, a type of malware, work.

No matter what website you visit, it requires input, he said. This is definitely a concern for untrusted apps.

A TikTok spokesperson told Guardian Australia that the report’s conclusions about TikTok were incorrect and misleading.

The researchers specifically said that the JavaScript code does not mean our app is doing anything malicious, acknowledging that we have no way of knowing what kind of data the in-app browser collects. Yes, said a spokesperson.

Contrary to what the report claims, we do not collect any keystrokes or text input via this code. It is used only for debugging, troubleshooting, and performance monitoring.

Besides TikTok, Krause evaluated iOS apps from Instagram, Facebook, Facebook Messenger, Amazon, Snapchat, and Robinhood. TikTok was the only app found to not offer users the option to switch from in-app browsing to an external browser when visiting third-party sites.

According to Uri Gal, a professor of business information systems at the University of Sydney, TikTok had the most extensive monitoring capabilities.

Many people using apps are unaware of the surveillance that takes place within them. [it]TikTok’s user base is much younger than Facebook and Instagram, making it more vulnerable.

Gal said TikTok poses a different kind of risk because its parent company, ByteDances, is suspected of having ties to the Chinese Communist Party.

Surveillance functions can be used to collect as much information as possible for the purposes of industrial espionage, allowing them to shape public opinion more in their favor.

A report released in July by Internet 2.0, an Australian-US cybersecurity firm, said the app could be used by the Chinese government to collect personal information, from in-app messages to device location. I am warning you.

ByteDance has denied ties to the Chinese government in the past, after various leaks suggesting it censors material that is inconsistent with China’s foreign policy objectives or refers to the country’s human rights record. , called this claim misinformation.

According to Krauses’ research, Instagram also has the ability to track screen taps, such as when a user clicks on an image.

Using in-app browsers, such as how Instagram and TikTok display all external websites within the app, poses data privacy and integrity issues, Krause wrote in the report.

According to Gal, Instagram and Facebook practices are almost as widespread as TikTok.

Their primary motivations are almost purely commercial and financial, but TikTok has an element of national security that doesn’t seem directly present to others.

A spokesperson for Instagram’s parent company Meta said in-app web browsers are common across the industry.

Meta uses an in-app browser for a safe, convenient, and reliable experience. For example, to ensure autofill fills in properly or to prevent people from being redirected to malicious sites.

Adding these kinds of functionality requires additional code. These experiences are carefully designed to respect your privacy choices, including how your data is used for advertising.

In a TikTok statement included in Krauses’ report, spokesperson Maureen Shanahan said:

Nanda said the social media platform does not disclose how much personal data remains with the company or whether it is shared with third parties.

They can pass that information on to third-party service providers, which can help launch sophisticated attacks of any nature, Nanda said, including hacks to steal data such as credit card information and freeze computers. It pointed out malware attacks that could steal or lock files. That’s the real risk.

