Security researcher Felix Krause says TikTok, alongside apps from Meta Platforms, can modify the code of websites loaded via in-app browsers
A new analysis revealed that some popular apps can track user data while using in-app browsers.
TikTok’s behavior was especially concerning, according to security researcher Felix Krause, who claims the short-form video platform’s iOS app has a code that allows it to monitor all keystrokes and taps on the screen, including text inputs like passwords and credit card information.
“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app”, wrote Krause in a blog post published on August 18. “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”
This was supposedly revealed when Krause analyzed the code behind the apps of popular platforms.
As previously mentioned, TikTok’s behavior supposedly was the most concerning due to the scope of the input it tracks and the lack of an option for users to use their default browsers. This means there’s no way users can avoid tracking if they want to open a link on the app, except by copying the link itself and pasting it on another browser or manually typing the URL, if the other method is not possible.
Krause does however point out that this doesn’t necessarily mean TikTok is doing “anything malicious” with the data it collects and has access to. Still, the behavior itself does raise some questions about the privacy of the platform’s users.
A TikTok spokesperson said the platform isn’t engaging in any wrongdoing, telling TechCrunch that Krause’s conclusions are “incorrect and misleading,” while confirming those features do exist in the code.
The spokesperson added that the option to use a different browser is not available because it would require directing users out of the app, which the company thinks compromises the experience.
TikTok also suggested that its data-collection practices are no different from that of other platforms, focusing mainly on what users search and view on the app to suggest relevant content for them. The company did concede that users browsing the web on the platform are being tracked but only for personalization purposes.
Krause says Meta’s platforms, namely Facebook, Instagram, and Messenger are all similarly modifying the code of websites loaded via the in-app browsers.
Despite these findings, the researcher did reassure iOS users that Apple’s software is still safer than Android, when it comes to privacy. He notes apps like Twitter, YouTube, Gmail, Reddit, and WhatsApp, among others, follow the iPhone maker’s recommendation of using either Safari or the system’s default browser for opening external websites. – Rappler.com