TikTok can track users’ screen taps when they visit other sites through its iOS app, new research reveals.
The video sharing platform runs code that enables it to observe the entry of text input, like credit card details and passwords, during ‘in-app browsing’.
This is when the user opens a third-party site within TikTok, as opposed to another browser like Safari or Google Chrome.
Software engineer Felix Krause reported his findings last week after analysing the JavaScript code social media apps run when a user opens a website link within them.
He Tweeted: ‘When opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input (which may include credit card details, passwords or other sensitive information)
‘TikTok also has code to observe all taps, like clicking on any buttons or links.
In the report he added: ‘We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.’
TikTok runs code that enables it to track users’ screen taps when they visit other sites through its iOS app, new research reveals. The video sharing platform can observe the entry of text input, like credit card details and passwords, during ‘in-app browsing’
The engineer created a security tool, InAppBrowser.com, that lists the JavaScript commands an iOS app executes when it opens the site.
It reveals that, when browsing a third party site within TikTok on an Apple device, it has the ability to monitor all keystrokes, text inputs and screen taps.
However, this does not mean the app, or its Chinese parent company ByteDance, are performing needless surveillance.
Mr Krause wrote: ‘Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious.
‘There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.
‘This publication is stating the JavaScript commands that get executed by each app, as well as describing what effect each of those commands might have.’
A TikTok spokesperson told Guardian Australia the ‘report’s conclusions about TikTok are incorrect and misleading.
‘The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects.
‘Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.’
Software engineer Felix Krause created a security tool, InAppBrowser.com, that lists the JavaScript commands an iOS app executes when it opens the site. It reveals that, when browsing a third party site within TikTok on an Apple device, it has the ability to monitor all keystrokes, text inputs and screen taps
A TikTok spokesperson told Guardian Australia: ‘Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.’
Mr Krause also tested the ability of other popular iOS apps to harvest data from users’ taps when they open a third party website.
This included Instagram, Facebook, Facebook Messenger, Amazon, Snapchat and Robinhood.
While TikTok had the most extensive surveillance capabilities, Instagram, Facebook and Facebook Messenger had a similar amount.
However, TikTok is the only app that does not offer the option to open the third-party site in the default browser while in-app browsing.
The software engineer wrote: ‘There are data privacy and integrity issues when you use in-app browsers … such as how Instagram and TikTok show all external websites inside their app,
‘Their primary motivation is almost purely commercial and financial, whereas with TikTok, there is a national security element that I don’t think is directly present with the others.’
TikTok’s app’s popularity with children as young as 12 means that its users are likely unaware of the risks of surveillance and data harvesting.
In June, Buzzfeed News reported that leaked recordings from more than 80 internal meetings reveal China-based TikTok employees have repeatedly accessed US user data.
A spokesperson for TikTok told Guardian Australia: ‘The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects’. They also tweeted from their official Twitter account to brand the report’s claims as ‘incorrect and misleading’
Instagram was also found to have the ability to track screen taps, including on images, links and text inputs, on third party websites rendered within the app.
A spokesperson for Instagram’s parent company, Meta, told Guardian Australia that ‘in-app web browsers are common across the industry’.
They said: ‘At Meta, we use in-app browsers to enable safe, convenient, and reliable experiences, such as making sure auto-fill populates properly or preventing people from being redirected to malicious sites,.
‘Adding any of these kinds of features requires additional code. We have carefully designed these experiences to respect users’ privacy choices, including how data may be used for ads.’
