TikTok’s in-app browser could be keylogging, privacy analysis warns

‘Beware in-app browsers’ is a good rule of thumb for any privacy conscious mobile app user — given the potential for an app to leverage its hold on user attention to snoop on what you’re looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok’s in-app browser […]

TikTok’s in-app browser could be keylogging, privacy analysis warns

‘Beware in-app browsers’ is a good rule of thumb for any privacy conscious mobile app user — given the potential for an app to leverage its hold on user attention to snoop on what you’re looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok’s in-app browser after independent privacy research by developer Felix Krause found the social network’s iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging.

“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data,” warns Krause in a blog post detailing the findings. “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.” [emphasis his]

After publishing a report last week — focused on the potential for Meta’s Facebook and Instagram iOS apps to track users of their in-app browsers — Krause followed up by launching a tool, called InAppBrowser.com, that lets mobile app users get details of code that’s being injected by in-app browsers by listing JavaScript commands executed by the app as it renders the page. (NB: He warns the tool does not necessarily list all JavaScript commands executed nor can it pick up tracking an app might be doing using native code — so at best it’s offering a glimpse of potentially sketchy activities.)

Krause has used the tool to produce a brief, comparative analysis of a number of major apps which appears to put TikTok at the top for concerning behaviors vis-a-vis in-app browsers — on account of the scope of inputs it’s been identified subscribing to; and the fact it does not offer users an option to use a default mobile browser (i.e. rather than its own in-app browser) to open web links. The latter means there’s no way to avoid TikTok’s tracking code from being loaded if you use its app to view links — the only option to avoid this privacy risk is to cut out of its app altogether and use a mobile browser to directly load the link (and if you can’t copy-paste it you’ll have to be able to remember the URL to do that).

Krause is careful to point out that just because he has found TikTok is subscribing to every keystroke a user makes on third party sites viewed inside its in-app browser does not necessarily mean it’s doing “anything malicious” with the access — as he notes there’s no way for outsiders to know the full details on what kind of data is being collected or how or if it’s being transferred or used. But, clearly, the behavior itself raises questions and privacy risks for TikTok users. 

We reached out to TikTok about the tracking code it’s injecting into third party sites and will update this report with any response.

Meta-owned apps Instagram, Facebook and FB Messenger, were also found by Krause to be modifying third party sites loaded via their in-app browsers — with “potentially dangerous” commands, as he puts it — and we’ve also approached the tech giant for a response to the findings.

Privacy and data protection are regulated in the European Union, by laws including the General Data Protection Regulation and the ePrivacy Directive, so any tracking being undertaken of users in the region that lacks a proper legal base could lead to regulatory sanction.

Both social media giants have already been subject to a variety of EU procedures, investigations and enforcements around privacy, data and consumer protection concerns in recent years — with a number of probes ongoing and some major decisions looming.

Krause warns that public scrutiny of in-app browser JavaScript tracking code injections on iOS is likely to encourage bad actors to upgrade their software to make such code undetectable to external researchers — by running their JavaScript code in the “context of a specified frame and content world” (aka WKContentWorld), which Apple has provided since iOS 14.3; introducing the provision as an anti-fingerprinting measure and so website operators can’t interfere with the JavaScript code of browser plugins (but the tech is evidently a double-edge sword in the context of tracking obfuscation) — arguing it’s thus “more important than ever to find a solution to end the use of custom in-app browsers for showing third party content”.

Despite some concerning behaviors being identified in mobile apps running on iOS, Apple’s platform is typically touted as more privacy safe than the Google-flavored mobile OS alternative, Android — and it’s worth noting that apps which follow Apple’s recommendation of using Safari (or SFSafariViewController) for viewing external websites were found by Krause to be “on the safe side” — including Gmail, Twitter, WhatsApp and many others — as he says Cupertino’s recommended method means there’s no way for apps to inject any code onto websites, including by deploying the aforementioned isolated JavaScript system (which might otherwise be used to obfuscate tracking code).