‘Beware in-app browsers’ is a good rule of thumb for any privacy conscious mobile app user — given the potential for an app to leverage its hold on user attention to snoop on what you’re looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok’s in-app browser after independent privacy research by developer Felix Krause found the social network’s iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging.
“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data,” warns Krause in a blog post detailing the findings. “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.” [emphasis his]
Krause has used the tool to produce a brief, comparative analysis of a number of major apps which appears to put TikTok at the top for concerning behaviors vis-a-vis in-app browsers — on account of the scope of inputs it’s been identified subscribing to; and the fact it does not offer users an option to use a default mobile browser (i.e. rather than its own in-app browser) to open web links. The latter means there’s no way to avoid TikTok’s tracking code from being loaded if you use its app to view links — the only option to avoid this privacy risk is to cut out of its app altogether and use a mobile browser to directly load the link (and if you can’t copy-paste it you’ll have to be able to remember the URL to do that).
Krause is careful to point out that just because he has found TikTok is subscribing to every keystroke a user makes on third party sites viewed inside its in-app browser does not necessarily mean it’s doing “anything malicious” with the access — as he notes there’s no way for outsiders to know the full details on what kind of data is being collected or how or if it’s being transferred or used. But, clearly, the behavior itself raises questions and privacy risks for TikTok users.
We reached out to TikTok about the tracking code it’s injecting into third party sites and will update this report with any response.
Update: A company spokesperson has now sent this statement:
TikTok argues that the “keypress” and “keydown” inputs identified by Krause are common inputs — claiming it is incorrect to make the assumptions about their use based only on the code being highlighted by the research.
To back this up the spokesperson pointed to some non-TikTok same code from Github which they suggested would trigger exactly the same response being cited by the research as evidence of improper data collection but is rather being used to a trigger a command known as ‘StopListening’ that they said would specifically prevent an application capturing what is typed.
TikTok’s spokesperson also told us it does not offer users an option not to use its in-app browser because it would require directing them outside the app which they argued would make for a clunky, less slick experience
They also reiterated a previous public TikTok denial that it engages in keystroke logging (i.e. the capturing of content) but suggested it may use keystroke information to detect unusual patterns or rhythms, such as if each letter typed is exactly 1 key per second, to help protect against fake logins, spam-like comments, or other behavior that may threaten the integrity of its platform.
TikTok’s spokesperson went on to suggest the level of data gathering it engages in is akin to other apps which also collect information about what users search for within the app to be able to recommend relevant content and personalize the service.
They confirmed that users who browse web content within its app are tracked for similar personalization — such as to select relevant videos to show in their For You feed. TikTok may also collect data on user activity elsewhere, on advertiser’s apps and websites, when those third party companies elect to share such data with it, they further noted.
Meta-owned apps Instagram, Facebook and FB Messenger, were also found by Krause to be modifying third party sites loaded via their in-app browsers — with “potentially dangerous” commands, as he puts it — and we’ve also approached the tech giant for a response to the findings.
Privacy and data protection are regulated in the European Union, by laws including the General Data Protection Regulation (GDPR) and the ePrivacy Directive, so any tracking being undertaken of users in the region that lacks a proper legal base could lead to regulatory sanction.
Both social media giants have already been subject to a variety of EU procedures, investigations and enforcements around privacy, data and consumer protection concerns in recent years — with a number of probes ongoing and some major decisions looming.