TikTok's in-app browser could be keylogging, privacy analysis warns

'Beware in-app browsers' is a good rule of thumb for any privacy conscious mobile app user -- given the potential for an app to leverage its hold on user attention to snoop on what you're looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok's in-app browser after independent privacy research by developer Felix Krause found the social network's iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging.

"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data," warns Krause in a blog post detailing the findings. "We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites." [emphasis his]

After publishing a report last week -- focused on the potential for Meta's Facebook and Instagram iOS apps to track users of their in-app browsers -- Krause followed up by launching a tool, called InAppBrowser.com, that lets mobile app users get details of code that's being injected by in-app browsers by listing JavaScript commands executed by the app as it renders the page. (NB: He warns the tool does not necessarily list all JavaScript commands executed nor can it pick up tracking an app might be doing using native code -- so at best it's offering a glimpse of potentially sketchy activities.)

Krause has used the tool to produce a brief, comparative analysis of a number of major apps which appears to put TikTok at the top for concerning behaviors vis-a-vis in-app browsers -- on account of the scope of inputs it's been identified subscribing to; and the fact it does not offer users an option to use a default mobile browser (i.e. rather than its own in-app browser) to open web links. The latter means there's no way to avoid TikTok's tracking code from being loaded if you use its app to view links -- the only option to avoid this privacy risk is to cut out of its app altogether and use a mobile browser to directly load the link (and if you can't copy-paste it you'll have to be able to remember the URL to do that).

Krause is careful to point out that just because he has found TikTok is subscribing to every keystroke a user makes on third party sites viewed inside its in-app browser does not necessarily mean it's doing "anything malicious" with the access -- as he notes there's no way for outsiders to know the full details on what kind of data is being collected or how or if it's being transferred or used. But, clearly, the behavior itself raises questions and privacy risks for TikTok users.

We reached out to TikTok about the tracking code it's injecting into third party sites and will update this report with any response.

Update: A company spokesperson has now sent this statement:

The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.

TikTok argues that the "keypress" and "keydown" inputs identified by Krause are common inputs -- claiming it is incorrect to make the assumptions about their use based only on the code being highlighted by the research.

To back this up the spokesperson pointed to some non-TikTok same code from GitHub which they suggested would trigger exactly the same response being cited by the research as evidence of improper data collection but is rather being used to a trigger a command known as 'StopListening' that they said would specifically prevent an application capturing what is typed.

They further claimed the JavaScript code highlighted by the research is used purely for debugging, troubleshooting and performance monitoring of the in-app browser to optimize the user experience, such as checking how quickly a page loads or whether it crashes. And said the JavaScript in question is also part of an SDK it's using -- further claiming that just because certain code exists does not mean the company is using it. The spokesperson also emphasized the distinction between permissions allowing apps to access certain categories of information on a user's device (aka, to "invoke") as opposing to collecting or processing data according to app store policies -- suggesting many elements associated with the categories of information in question may be analyzed locally on the device without the information itself ever being collected by TikTok.

TikTok's spokesperson also told us it does not offer users an option not to use its in-app browser because it would require directing them outside the app which they argued would make for a clunky, less slick experience

They also reiterated a previous public TikTok denial that it engages in keystroke logging (i.e. the capturing of content) but suggested it may use keystroke information to detect unusual patterns or rhythms, such as if each letter typed is exactly 1 key per second, to help protect against fake logins, spam-like comments, or other behavior that may threaten the integrity of its platform.

TikTok's spokesperson went on to suggest the level of data gathering it engages in is akin to other apps which also collect information about what users search for within the app to be able to recommend relevant content and personalize the service.

They confirmed that users who browse web content within its app are tracked for similar personalization -- such as to select relevant videos to show in their For You feed. TikTok may also collect data on user activity elsewhere, on advertiser's apps and websites, when those third party companies elect to share such data with it, they further noted.

Meta-owned apps Instagram, Facebook and FB Messenger, were also found by Krause to be modifying third party sites loaded via their in-app browsers -- with "potentially dangerous" commands, as he puts it -- and we've also approached the tech giant for a response to the findings.

Privacy and data protection are regulated in the European Union, by laws including the General Data Protection Regulation (GDPR) and the ePrivacy Directive, so any tracking being undertaken of users in the region that lacks a proper legal base could lead to regulatory sanction.

Both social media giants have already been subject to a variety of EU procedures, investigations and enforcements around privacy, data and consumer protection concerns in recent years -- with a number of probes ongoing and some major decisions looming.

Update: Ireland's Data Protection Commission, which is lead data protection regulator for Meta and TikTok under the GDPR in Europe, told TechCrunch it has requested a meeting with Meta following last week's media reports of the JavaScript issue. It also said it will be engaging with TikTok on the issue.

Krause warns that public scrutiny of in-app browser JavaScript tracking code injections on iOS is likely to encourage bad actors to upgrade their software to make such code undetectable to external researchers -- by running their JavaScript code in the "context of a specified frame and content world" (aka WKContentWorld), which Apple has provided since iOS 14.3; introducing the provision as an anti-fingerprinting measure and so website operators can’t interfere with the JavaScript code of browser plugins (but the tech is evidently a double-edge sword in the context of tracking obfuscation) -- arguing it's thus "more important than ever to find a solution to end the use of custom in-app browsers for showing third party content".

Despite some concerning behaviors being identified in mobile apps running on iOS, Apple's platform is typically touted as more privacy safe than the Google-flavored mobile OS alternative, Android -- and it's worth noting that apps which follow Apple’s recommendation of using Safari (or SFSafariViewController) for viewing external websites were found by Krause to be "on the safe side" -- including Gmail, Twitter, WhatsApp and many others -- as he says Cupertino's recommended method means there's no way for apps to inject any code onto websites, including by deploying the aforementioned isolated JavaScript system (which might otherwise be used to obfuscate tracking code).