An independent cybersecurity researcher has warned that the Chinese short-form video app, TikTok reportedly injects JavaScript code into any and all links opened through its custom in-app browser on iOS, which can track all keystrokes on a webpage.
The researcher, Felix Krause, founder of the app-testing company Fastlane that was Google acquired five years ago, who discovered the findings said when the user opens any link on the TikTok iOS app, it is opened inside their in-app browser.
“While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click,” warns Krause in a blog post detailing the findings.
TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites, which are rendered inside the social media app, he added. This can include passwords, credit card information, and other sensitive user data (keypress and keydown).
From a technical perspective, this is the equivalent of installing a keylogger on third party websites, Krause said.
“This was an active choice the company made. This is a non-trivial engineering task. This does not happen by mistake or randomly,” he added.
TikTok iOS subscribes to every tap on any button, link, image, or other components on websites rendered inside the TikTok app. It uses a JavaScript function to get details about the element the user clicked on, like an image (document.elementFromPoint).
Krause, however, carefully points out that just because he has discovered that TikTok is subscribing to every keystroke a user makes on third party sites viewed inside its in-app browser, it does not necessarily mean it is doing “anything malicious” with the access – as he was unable to determine whether or not keystrokes were being actively tracked by TikTok and whether or not the data was being sent to TikTok.
In order to avoid potential tracking, the researcher recommends opening links in the platform’s default browser if possible, such as Safari on the iPhone and iPad or Chrome, if you are using an Android device.
“Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser,” wrote Krause. “During this analysis, every app besides TikTok offered a way to do this.”
While a TikTok spokesperson acknowledged the JavaScript code in question but declined that the company is using them on its in-app browser on the iOS app.
The spokesperson accused Krause of making “incorrect and misleading” statements about the app and added that the JavaScript code in question is used solely for debugging, troubleshooting, and performance monitoring.
“The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects,” the spokesperson said.
“Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”
The company added that the code is part of a third-party software development kit, or SDK, used by its app, and includes features that TikTok doesn’t use.
Besides TikTok, Krause has also scrutinized in-app browser data collection by companies such as Meta, the owner of Instagram and Facebook. In a tweet, a spokesperson for Meta said that the company “intentionally developed this code to honor people’s App Tracking Transparency (ATT) choices on our platforms.”
