Beware In-App Browsers: TikTok Tracks Users’ Keyboard Inputs and Taps
This article was originally published on my LinkedIn newsletter, Tech Support.
Have you ever clicked on a link while scrolling through an app on your phone?
Most apps won’t open that link on your internet browser of choice. Instead, they will take you to their in-app browser, which is a stripped-down browser software controlled by the app. Some popular apps inject code that could enable them to monitor all keyboard inputs and taps. This is known as keylogging.
Software developer and independent privacy researcher Felix Krause has assessed what code is injected onto a website to gather user activity when it is opened through an app, including ads or links clicked through a content creator’s profile.
For instance, any ads or links clicked through TikTok open within the app using the platform’s in-app browser rather than a default browser like Chrome or Safari. The JavaScript code embedded by TikTok allows the company to monitor users’ every keystroke as well as every tap on users’ screens. This includes text inputs such as passwords and credit card information.
“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data,” warns Krause in a blog post detailing his findings. “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”
Why does TikTok do this?
TikTok’s use of tracking to drive targeted advertising and to increase user engagement on their platform is widely documented. Recording users’ keystrokes on its in-app browser is a way for TikTok to monitor users’ behavior as consumers and purchasers.
Still, it is worth noting that there is no way for the public — users and researchers alike — to know exactly what kind of data TikTok’s in-app browser collects. In fact, a TikTok spokesperson has confirmed this in a statement to TechCrunch:
“The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”
This isn’t the first time TikTok has publicly denied engaging in keystroke logging either. TikTok has suggested that it may use keystroke information to detect unusual patterns, such as if each letter typed is exactly one key per second, to detect fake logins or spam-like comments.
However, the fact that TikTok has this system in place is a privacy risk for every user. The company has the infrastructure and code in place to be able to track all users’ keystrokes. At this time, the decision to use this information for simple debugging or outright spying is left solely to TikTok.
How can users protect themselves while browsing in-app links?
TikTok does not currently offer users an option to use a default mobile browser to open web links. In other words, there is no way to avoid TikTok’s tracking code from being loaded if you use its app to view links. Aside from abstaining from TikTok altogether, users must find a different way to load the link outside of TikTok’s browser.
Krause analyzed several apps and found that TikTok was the only app with the ability to track all keyboard inputs without allowing users to open links in a default browser.
The majority of in-app browsers have the ability to open the link into a user’s preferred browser. Alternatively, users can copy and paste the link into their browser of choice.
Although taking these additional precautions may impact a user’s experience with the app, until TikTok allows users to choose their own browsers, these measures may be the most reliable ways to avoid this privacy risk.