TikTok has the ability to track every tap on your screen as you browse the iOS app, including passwords typed and links clicked, according to new research from software engineer Felix Krause.
In-app browsing refers to any activity on third-party sites that opens in the app rather than in an external window.
On Thursday, Krause released a report examining the JavaScript code that social media platforms inject into third-party sites that allow it to track users’ activity.
Krause’s security tool, InAppBrowser.com, revealed that the TikTok iOS app has the ability to monitor all keystrokes, text input, and screen taps, including sensitive personal information such as credit card information and passwords.
Krause noted, however, that “just because an app injects JavaScript into external websites doesn’t mean the app is doing anything malicious.”
“There’s no way we can know the full details about what kind of data each in-app browser collects, or how — or if — the data is transferred or used,” he said.
When they open a website from the TikTok iOS app, they inject code that can observe any keyboard input (including credit card details, passwords, or other sensitive information)
TikTok also has code to observe all taps, such as clicking buttons or links. pic.twitter.com/Dcv0N4ccKD
— Felix Krause (@KrauseFx) August 18, 2022
Priyadarsi Nanda of the University of Technology Sydney’s School of Electrical and Data Engineering said that collecting information about keystrokes is very similar to the behavior of keyloggers, a type of malware.
“Whatever website you visit, it requires your input,” he said. “This is definitely a concern for any app you don’t trust.”
A TikTok spokesperson told Guardian Australia that the report’s “conclusions on TikTok are incorrect and misleading”.
“The researcher specifically says that the JavaScript code doesn’t mean our app is doing anything malicious, and admits they have no way of knowing what kind of data our in-app browser collects,” the spokesperson said.
“Contrary to what the report claims, we do not collect keystrokes or text input via this code, which is used solely for debugging, troubleshooting, and performance monitoring.”
In addition to TikTok, Krause reviewed the iOS apps from Instagram, Facebook, Facebook Messenger, Amazon, Snapchat, and Robinhood. TikTok was the only app that did not allow users to switch from in-app browsing to an external browser when accessing third-party sites.
“TikTok had the most comprehensive surveillance capabilities,” said Uri Gal, a professor of business information systems at the University of Sydney.
“Many people using the app are not aware of the surveillance being carried out on them within [it]. TikTok’s user base is much younger than Facebook and Instagram…which makes them much more vulnerable.”
Gal said TikTok poses “a different kind of risk” because of parent company ByteDance’s suspected ties to the Chinese Communist Party.
The surveillance functionality can be used to “gather as much information as possible for industrial espionage purposes and to shape public opinion more toward their interests,” he said.
A report released in July by Australian-American cybersecurity firm Internet 2.0 warned that the Chinese government could use the app to collect personal information, from in-app messages to device locations.
ByteDance has denied any affiliation with the Chinese government in the past, calling the claim “misinformation” after several leaks suggested it is censoring material that is inconsistent with China’s foreign policy objectives or mentions the country’s human rights record.
Krause’s research found that Instagram also has the ability to track screen taps, such as when users click on an image.
“There are data privacy and integrity issues when using in-app browsers…like how Instagram and TikTok show all external websites in their app,” Krause wrote in the report.
Gal said Instagram and Facebook’s practices are almost as extensive as TikTok’s.
“Their primary motivation is almost purely commercial and financial, while there is a national security element to TikTok that I don’t think is directly present with the others.”
A spokesperson for Instagram’s parent company, Meta, said “in-app web browsers are common across the industry.”
“At Meta, we use in-app browsers to enable safe, convenient and reliable experiences, such as ensuring that autocomplete is completed correctly or preventing people from being redirected to malicious sites,” the spokesperson said.
“Adding any of these functions requires additional code. We carefully designed these experiences to respect users’ privacy choices, including how data might be used for advertising.”
In a statement from TikTok included in Krause’s report, spokesperson Maureen Shanahan said, “Like other platforms, we use an in-app browser to provide an optimal user experience. … like checking how fast a page loads or if it crashes.”
Nanda said the social media platforms do not disclose how much personal data stays with the company and whether it is shared with third parties.
“They can pass that information on to third-party service providers, which is essential for launching sophisticated attacks of any kind,” Nanda said, pointing to hacks that steal data, such as credit card information, and malware attacks that freeze computers or lock files. “That’s the real risk.”