TikTok’s in-app browser can monitor your keystrokes, including passwords and credit cards, researcher says

Have you ever clicked open a link while scrolling through an app on mobile?

New research has revealed some of the data popular apps can track and collect when using in-app browsers.

Software engineer and security researcher Felix Krause evaluated what code is injected into a website to collect user activity when opened through an app.

This includes any ads or links clicked through a creator’s profile.

For example, any link clicked through TikTok will open in the app using the platform’s in-app browser rather than a default browser like Chrome or Safari.

TikTok’s embedded Java Script code allows the company to monitor all keystrokes – the equivalent of a keylogger – as well as every screen tap and text entry, including passwords and passwords. credit card information.

“Installing a keylogger is obviously a huge thing…according to TikTok, it’s disabled at the moment,” Krause said.

“The problem is that they have the infrastructure and the systems in place to be able to track all these keystrokes…that in itself is a huge problem.

“The fact that they already have this system is a huge risk for every user.”

The Vienna-based researcher is the founder of Fastlane, an Android and iOS app testing platform, acquired by Google five years ago.

He’s been studying the risks of in-app browsers for several years, but increased use by big tech companies has prompted him to look at the code behind each platform.

On Thursday, he released a report on his findings after creating a security tool, InAppBrowser.com, so anyone can see which apps may be tracking when using their built-in browsers.

It can recognize what apps like TikTok, Instagram, and Meta can track, but it can’t tell us what data each app chooses to collect, transfer, or use.

TikTok injects a tracking code that can monitor all keystrokes.(Felix Krause)

Although InApBrowser.com finds commands embedded in code, the full extent of what apps implement on third-party websites is unknown, in part due to an iOS 14.3 update in December 2020, allowing certain JavaScript commands to be undetectable.

The JavaScript security risk doesn’t stop at TikTok.

Another app Mr. Krause investigated was Instagram, which was found to be able to observe wiretaps, including clicks on images.

Bruce Davie, leading computer scientist and co-founder of Systems Approach, said the behavior of apps of this nature is undermining user confidence in e-commerce.

“It’s alarming how much information can be tracked that people aren’t aware of, potentially including any user interaction with a website,” Davie said.

“The issue appears to be widespread, with tracking code seen in apps from Facebook and Instagram as well as TikTok.”

TikTok confirmed the existence of the code and claimed that it does not collect user data using the injected code.

“We do not collect keystrokes or text input through this code, which is only used for debugging, troubleshooting, and performance monitoring,” a TikTok spokesperson said.

There is no way to verify whether the data is collected or used.

According to a spokesperson, collecting personal data would violate TikTok’s privacy policy, which allows browsing history to be collected in the in-app browser to improve user experience.

Mr Krause said apps in their early days used this data to find errors and debug before scaling and later removing functionality, which TikTok failed to do.

“Those [data tracking abilities] should not end up in the final version of the app that has been used by millions of people,” Krause said.

“It’s not something that happens by mistake…especially in a company of this size.”

What is their motivation?

Injecting the coding does not mean that user data is stored or used maliciously, but the deliberate act of including it is concerning.

“While we can only guess at the motivations of the companies involved, we do know that they use tracking to drive ad targeting and to increase user engagement on their platforms,” Davie said.

How can I protect myself when browsing in-app links?

Majority of in-app browsers have the option to open the link to a preferred off-platform browser website or achieve the same by copying and pasting.

TikTok does not have a button installed to open websites in a default browser.

A TikTok spokesperson said if users were directed away from the app when clicking on links, it would create a clunky and diminished experience.

Should you download TikTok or Facebook on your phone?

Chris Marsden, a Monash University professor and specialist in artificial intelligence and technology law, said “we should all be concerned about cybersecurity”, but smartphone indoctrination has left everyday users perplexed.

“Especially today, any iPhone user should be more concerned about downloading an Apple iOS update to patch a critical security exploit,” Marsden said.

“The commercial use of smartphone user data is currently so unregulated that the real question is, should you have a smartphone?

“As individuals, we cannot understand the security and privacy risks.

“The ACCC now conducts six monthly reviews of competition and consumer issues for the Treasurer on these applications.”

Does TikTok pose a greater risk to users than other apps?

TikTok has a unique concern as the only app, out of the seven analyzed, with the ability to track all keyboard input without allowing users to open links in a default browser such as Safari or Chrome.

InAppBrowser.com - a new tool created by Felix Krause to investigate in-app browsers.  Source: Felix Krause
The seven apps used for tracking user data included TikTok, Instagram, Facebook Messenger, Facebook, Amazon, Snapchat and Robinhood.(Felix Krause)

Should the government protect our digital privacy from tech companies?

“The default overall responsibility for verifying that apps comply with any regulations rests with Google and Apple,” Marsden said.

“The police can interact with these giant companies and ask them to remove apps from the store.”

In 2019, Apple removed an app that helped Hong Kong protesters track riot police citing it violated rules because it was used to ambush law enforcement.

Can we fix TikTok?

“For me, the big surprise is that when I browse a website from the app, I get a very different level of tracking than I would get if I browsed there through my normal browser. [such as Safari]“said Mr. Davie.

A simple solution to security risks would be to allow TikTok users to open in-app links on their preferred browser.

This makes it possible to implement individual privacy settings in Safari and Chrome, such as ad blocker and password manager extensions.

Lance B. Holton