Beware of in-app browsers is a good general rule of thumb for any privacy-conscious mobile app user, given the possibility that an app might utilize its control over browser software to snoop on what you’re looking at by leveraging its hold on user attention. However, independent privacy research by developer Felix Krause discovered that the social network’s iOS app was injecting code that might allow it to track all keyboard inputs and presses, raising concerns about the behavior of TikTok’s in-app browser. Keylogging, a.k.a.
Every keystroke (text input) on external websites that is rendered inside the TikTok app is subscribed to by TikTok iOS. Passwords, credit card numbers, and other sensitive user data may be included in this, Krause cautions in a blog post outlining the research results. We are unable to know how TikTok uses the subscription, but from a technical standpoint, this is comparable to keylogging third-party websites. [His emphasis]
Due to the breadth of inputs it has been identified subscribing to and the fact that it does not give users the option to use a default mobile browser (i.e. rather than its own in-app browser) to open web links, TikTok appears to be at the top for concerning behaviors vis-à-vis in-app browsers, according to Krause’s brief, comparative analysis of a number of major apps. The latter indicates that there is no way to prevent TikTok’s tracking code from loading if you use its app to view links; the only way to avoid this privacy risk is to completely leave its app and use a mobile browser to directly load the link (and if you can’t copy-paste it, you’ll need to manually enter the link’s URL).
Krause is careful to note that just because he has discovered TikTok is subscribing to every keystroke a user makes on external websites viewed inside of its in-app browser does not necessarily mean it is doing “anything malicious” with the access — as he points out there’s no way for outsiders to know the full details on what kind of data is being collected, how or if it is being transferred, or whether it is being used. However, it is obvious that the conduct itself poses concerns and privacy hazards for TikTok users.
Regarding the tracking code it inserts into third-party websites, we contacted TikTok. If they respond, we’ll update this report.
Update: A company spokesperson has now sent this statement:
Tiktok argues that the input of “Keydown” and “Keydown” identified by the krause is a general input – claiming it is not true to make assumptions about their use based only on the code highlighted by research.
To support this, the spokesperson refers to some of the same non-tiktok codes from the github that they suggest will trigger the exact same response quoted by research as evidence of improper data collection but rather used to trigger commands known as’ stop listening The one who avoided the one who resisted listening to the one who resisted listening to the pending that hindered the termination of the floating, listening to the pend that holds his dementing the termination of the termination of the one who stopped the stopping from the termination of the restraint. ‘What they say specifically will prevent applications from capturing what is typed.
Tiktok spokesman also tells us that they do not offer options for not using browsers in the application because they will need to direct them outside the application they say will make a clumsy and less slippery experience
They also repeated the previous public tiktok rejection that they were involved in the keystroke logging (ie capture content) but suggested it could use button information to detect unusual patterns or rhythm, such as if every letter typed was 1 key per second, to help protect from Fake login, comments such as spam, or other behaviors that can threaten the integrity of the platform.
Tiktok spokesman continues to suggest the level of data collection involved is similar to other applications that also gather information about what users are looking for in the application to be able to recommend relevant content and personalize services.
They confirmed that users who traced web content in their application were tracked for similar personalization - such as choosing relevant videos to be displayed in their bait for you. Tiktok can also collect data about user activities in other places, in advertiser applications and websites, when third -party companies choose to share the data, they further record.
The Meta Instagram, Facebook and FB Messenger application, also found by Krause to modify a third-party site that is loaded through a browser in their application-with the command "potentially dangerous", as he said and we have also approached giant technology to respond to findings.
Privacy and data protection are regulated in the European Union, by laws including general data protection regulations (GDPR) and Eprivation instructions, so that every tracking carried out against users in the region that does not have the right legal base can cause regulatory sanctions.
Both social media giants have experienced various procedures, investigations, and enforcement of EU around privacy, data, and issues of consumer protection in recent years - with a number of ongoing investigations and some of the main decisions that are looming.