TikTok’s In-App Browser Contains Code That Follows Your Every Move

tiktok app

TikTok can track its users’ every tap, keyboard input, and keystroke through its iOS in-app browser.

Ex-Google Engineer and privacy researcher, Felix Krause published a report on Thursday which revealed that when TikTok users enter a website through a link on the iOS app, TikTok inserts code that can monitor much of their activity on these outside websites.

The tracking would make it possible for TikTok to capture a user’s credit card information or password.

🔥 New Post: Announcing InAppBrowser – see what JavaScript commands get injected through an in-app browser

👀 TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps.https://t.co/TxN1ezZX71 pic.twitter.com/pQcX5vrEXc

— Felix Krause (@KrauseFx) August 18, 2022

Krause’s security tool, InAppBrowser.com, showed that TikTok has the ability to track this activity because it injects lines of the programming language JavaScript into the websites visited through its in-app browser, creating new commands that alert TikTok to what people are doing on those websites.

TikTok can track this activity by injecting lines of the programming language JavaScript into the websites visited within the app, creating new commands that alert TikTok to what people are doing in those websites.

“This was an active choice the company made,” says Krause. “This is a non-trivial engineering task. This does not happen by mistake or randomly.”

When opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input (which may include credit card details, passwords or other sensitive information)

TikTok also has code to observe all taps, like clicking on any buttons or links. pic.twitter.com/Dcv0N4ccKD

— Felix Krause (@KrauseFx) August 18, 2022

For his research, Krause tested seven iPhone apps that use in-app browsers: TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon, and Robinhood. He did not test the Android versions of these apps.

Of the seven apps Krause tested, TikTok is the only one that appears to monitor keystrokes and seemed to be monitoring more activity than the rest.

While Krause’s research reveals the code companies including TikTok and Facebook parent Meta are injecting into websites from their in-app browsers, the research does not show that these companies are actually using that code to collect data, and send it to their servers or share it with third parties.

Krause notes, though, that “just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious”.

“There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used,” Krause adds.

https://t.co/KwZ3dtKyQf – a new tool I used to investigate the in-app browsers of apps (that use them) to look for any external JavaScript code being injected. pic.twitter.com/XSdXOpXYlq

— Felix Krause (@KrauseFx) August 18, 2022

In a statement shared with Forbes, TikTok spokesperson Maureen Shanahan acknowledged the JavaScript code in question. However, Shanahan strongly rebuffed the idea that TikTok tracked users in its in-app browser.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting, and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,” Shanahan tells Forbes.

This ability to track users’ activity across websites is not limited to TikTok. Last week, Krause revealed that Meta, the parent company of Instagram and Facebook, has been injecting code into websites its users visit so that the company can track them across the internet after they click links in its apps.

Image credits: Header photo licensed via Depositphotos.