TikTok’s in-app browser may be doing keylogging, privacy analysis warns

6 mins read
Privacy claim that scares TikTok users!

Beware of in-app browsers is a good general rule of thumb for any privacy-conscious mobile app user, given the possibility that an app might utilize its control over browser software to snoop on what you’re looking at by leveraging its hold on user attention. However, independent privacy research by developer Felix Krause discovered that the social network’s iOS app was injecting code that might allow it to track all keyboard inputs and presses, raising concerns about the behavior of TikTok’s in-app browser. Keylogging, a.k.a.

Every keystroke (text input) on external websites that is rendered inside the TikTok app is subscribed to by TikTok iOS. Passwords, credit card numbers, and other sensitive user data may be included in this, Krause cautions in a blog post outlining the research results. We are unable to know how TikTok uses the subscription, but from a technical standpoint, this is comparable to keylogging third-party websites. [His emphasis]

Krause followed up on a report he published last week about the potential for Meta’s Facebook and Instagram iOS apps to track users of their in-app browsers by launching a tool called InAppBrowser.com, which provides information about the code that in-app browsers are injecting into mobile apps by listing the JavaScript commands the app executes as it renders the page. (NB: He cautions that the tool may not always identify all JavaScript instructions that have been executed or be able to detect tracking that an app may be carrying out using native code; at best, it can only provide a glimpse of possibly questionable behaviors.)

Due to the breadth of inputs it has been identified subscribing to and the fact that it does not give users the option to use a default mobile browser (i.e. rather than its own in-app browser) to open web links, TikTok appears to be at the top for concerning behaviors vis-à-vis in-app browsers, according to Krause’s brief, comparative analysis of a number of major apps. The latter indicates that there is no way to prevent TikTok’s tracking code from loading if you use its app to view links; the only way to avoid this privacy risk is to completely leave its app and use a mobile browser to directly load the link (and if you can’t copy-paste it, you’ll need to manually enter the link’s URL).

Krause is careful to note that just because he has discovered TikTok is subscribing to every keystroke a user makes on external websites viewed inside of its in-app browser does not necessarily mean it is doing “anything malicious” with the access — as he points out there’s no way for outsiders to know the full details on what kind of data is being collected, how or if it is being transferred, or whether it is being used. However, it is obvious that the conduct itself poses concerns and privacy hazards for TikTok users.

Regarding the tracking code it inserts into third-party websites, we contacted TikTok. If they respond, we’ll update this report.

Update: A company spokesperson has now sent this statement:

“The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”

Tiktok argues that the input of “Keydown” and “Keydown” identified by the krause is a general input – claiming it is not true to make assumptions about their use based only on the code highlighted by research.

To support this, the spokesperson refers to some of the same non-tiktok codes from the github that they suggest will trigger the exact same response quoted by research as evidence of improper data collection but rather used to trigger commands known as’ stop listening The one who avoided the one who resisted listening to the one who resisted listening to the pending that hindered the termination of the floating, listening to the pend that holds his dementing the termination of the termination of the one who stopped the stopping from the termination of the restraint. ‘What they say specifically will prevent applications from capturing what is typed.

After the Impending Earth-Facing Coronal Mass Ejection, a Powerful Geomagnetic Storm is Anticipated

They further claim that the Javascript code highlighted by this research is used purely for debugging, problem solving and monitoring browser performance in the application to optimize user experience, such as checking how fast the pages load or whether it is jammed. And say the javascript in question is also part of the SDK that it uses - further claims that only because certain codes do not mean the company uses it. The spokesperson also emphasized the difference between permits that allow applications to access certain information categories on the user device (alias, to "ask") as opposed to data collection or processing in accordance with the App Store policy - suggest many elements related to the demand information category can be analyzed Local on the device without information itself was collected by Tiktok.

Tiktok spokesman also tells us that they do not offer options for not using browsers in the application because they will need to direct them outside the application they say will make a clumsy and less slippery experience

They also repeated the previous public tiktok rejection that they were involved in the keystroke logging (ie capture content) but suggested it could use button information to detect unusual patterns or rhythm, such as if every letter typed was 1 key per second, to help protect from Fake login, comments such as spam, or other behaviors that can threaten the integrity of the platform.


Tiktok spokesman continues to suggest the level of data collection involved is similar to other applications that also gather information about what users are looking for in the application to be able to recommend relevant content and personalize services.

They confirmed that users who traced web content in their application were tracked for similar personalization - such as choosing relevant videos to be displayed in their bait for you. Tiktok can also collect data about user activities in other places, in advertiser applications and websites, when third -party companies choose to share the data, they further record.

The Meta Instagram, Facebook and FB Messenger application, also found by Krause to modify a third-party site that is loaded through a browser in their application-with the command "potentially dangerous", as he said and we have also approached giant technology to respond to findings.

Privacy and data protection are regulated in the European Union, by laws including general data protection regulations (GDPR) and Eprivation instructions, so that every tracking carried out against users in the region that does not have the right legal base can cause regulatory sanctions.

Both social media giants have experienced various procedures, investigations, and enforcement of EU around privacy, data, and issues of consumer protection in recent years - with a number of ongoing investigations and some of the main decisions that are looming.

Renewal: The Irish Data Protection Commission, which is the main data protection regulator for Meta and Tiktok under GDPR in Europe, told Techcrunch that they had asked for a meeting with Meta following the media report last week about Javascript issues. He also said he would be involved with Tiktok about this problem.

Krause warns that public supervision of the injection of the Javascript tracking code in the application on iOS tends to encourage bad actors to improve their software to make the code not detected by external researchers-by running their javascript code in the "frame context and content determined by world" (aka Wkcontentworld), which Apple has been provided since iOS 14.3; Introducing the provisions as an anti-fingerprinting action and therefore website operators cannot interfere with the browser plugin javascript code (but this technology is clearly a double-edge sword in the context of confusion tracking)-with that reason "more important than ever finding a solution to end the use of browsers in Special application to display third party content ".

Apart from a few behaviors about the behaviors identified in cellular applications that run on iOS, Apple platforms are usually touted as safer privacy than Google-scented cellular OS alternatives, Android-and need to be noted that applications that follow Apple's recommendations using Safari (or or or or or SfsafariViewController) to see external websites found by krause as "on a safe side" - including gmail, twitter, whatsapp and many others - as he said the method recommended by cupertino means there is no way for applications to inject any code into the website , including using this isolated Javascript system mentioned above (which may be used to obscure the tracking code).

The source used in the creation of a news story: https://techcrunch.com


The ancient idea tries to provide the most accurate information to its readers in all the content it publishes.

Fatal error: Uncaught TypeError: fclose(): Argument #1 ($stream) must be of type resource, bool given in /home/fikrikadim/public_html/wp-content/plugins/wp-super-cache/wp-cache-phase2.php:2386 Stack trace: #0 /home/fikrikadim/public_html/wp-content/plugins/wp-super-cache/wp-cache-phase2.php(2386): fclose(false) #1 /home/fikrikadim/public_html/wp-content/plugins/wp-super-cache/wp-cache-phase2.php(2146): wp_cache_get_ob('<!DOCTYPE html>...') #2 [internal function]: wp_cache_ob_callback('<!DOCTYPE html>...', 9) #3 /home/fikrikadim/public_html/wp-includes/functions.php(5420): ob_end_flush() #4 /home/fikrikadim/public_html/wp-includes/class-wp-hook.php(324): wp_ob_end_flush_all('') #5 /home/fikrikadim/public_html/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters('', Array) #6 /home/fikrikadim/public_html/wp-includes/plugin.php(517): WP_Hook->do_action(Array) #7 /home/fikrikadim/public_html/wp-includes/load.php(1270): do_action('shutdown') #8 [internal function]: shutdown_action_hook() #9 {main} thrown in /home/fikrikadim/public_html/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 2386