TikTok’s in-app browser code can track anything you type, researcher claims

TikTok’s in-app browser for iOS injects JavaScript code into external websites enabling the app to track “all keyboard inputs and taps” while a user engages with a particular website, according to new study by software engineer Felix Krause.

Any activity on third-party websites that opens within the app rather than an external window is referred to as in-app browsing. The popular video sharing platform TikTok is one of the many apps that use in-app browsers.

Krause published a research last week that looked into the JavaScript code that various apps inject into third-party websites. This code gives the platforms the ability to monitor the activities of users.

Krause says his security tool, InAppBrowser.com, found that TikTok iOS in-app browser “subscribes” to all keyboard inputs when a user interacts with an external website, including any sensitive information like credit card details and passwords, along with every touch on the screen.

From a technological standpoint, Krause says injecting JavaScript code is comparable to installing a keylogger on third-party websites.

However, he clarified that simply because an app injects JavaScript into other websites doesn’t necessarily mean that the app is doing anything malicious.

“There is no way for us to know the full details on what kind of data each in-app browser collects, or how – or if – the data is being transferred or used,” he said.

TikTok described the report’s findings as inaccurate and misleading, pointing out that Krause specifically states that the presence of the code does not imply that the app is acting maliciously.

The platform acknowledged the presence of JavaScript code, but claimed that it does not collect keystroke or text inputs through this code, and that the code is solely used for performance monitoring, debugging, and troubleshooting to ensure an “optimal user experience.”

The “keypress” and “keydown” functions cited by Krause are standard inputs that TikTok does not employ for keystroke recording, TikTok stated, further noting that the code is a component of a third-party software development kit.

The hugely popular short video app, which is owned by the Chinese firm ByteDance, has drawn criticism in multiple countries for having ties to the Chinese government. In the US, former President Donald Trump even attempted to ban TikTok by executive order.

In June, an American communications regulator official urged Apple and Google to ban the app about “national security” concerns.

Krause’s study examined a total of seven in-app browser-enabled iPhone apps, including TikTok, Facebook, Instagram, Facebook Messenger, Amazon, Snapchat, and Robinhood. Of them, TikTok was the only one that seems to track keystrokes, according to Krause.

Facebook and Instagram both track every tap on a website like TikTok.

The latest research follows a previous report by Krause on in-app browsers earlier this month that focused specifically on Meta-owned applications Facebook, Instagram, and Facebook Messenger.

The report claimed that Instagram and Facebook’s iOS in-app browsers can monitor users’ interactions with any website after injecting JavaScript code known as ‘Meta Pixel’ into each linked website.

Meta said the claims were false and misrepresented how Meta’s in-app browser and Pixel work.

“We intentionally developed this code to honor people’s App Tracking Transparency choices on our platforms,” ​​Meta told Computing.