‘Beware in-app browsers’ is a good rule of thumb for any privacy conscious mobile app user given the potential for an app to leverage its hold on user attention to snoop on what you’re looking at via browser software it also controls.
But eyebrows are being raised over the behavior of TikTok’s in-app browser after independent privacy research by developer Felix Krause found the social network’s iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging. “TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data,” warns Krause in a blog post detailing the findings. “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”After publishing a report last week focused on the potential for Meta’s Facebook and Instagram iOS apps to track users of their in-app browsers Krause followed up by launching a tool, called InAppBrowser.com, that lets mobile app users get details of code that’s being injected by in-app browsers by listing JavaScript commands executed by the app as it renders the page. (NB: He warns the tool does not necessarily list all JavaScript commands executed nor can it pick up tracking an app might be doing using native code , Krause has used the tool to produce a brief, comparative analysis of a number of major apps which appears to put TikTok at the top for concerning behaviors vis-a-vis in-app browsers on account of the scope of inputs it’s been identified subscribing to; and the fact it does not offer users an option to use a default mobile browser (i.e. rather than its own in-app browser) to open web links. The latter means there’s no way to avoid TikTok’s tracking code from being loaded if you use its app to view links the only option to avoid this privacy risk is to cut out of its app altogether and use a mobile browser to directly load the link (and if you can’t copy-paste it you’ll have to be able to remember the URL to do that).
Krause is careful to point out that just because he has found TikTok is subscribing to every keystroke a user makes on third party sites viewed inside its in-app browser does not necessarily mean it’s doing “anything malicious” with the access as he notes there’s no way for outsiders to know the full details on what kind of data is being collected or how or if it’s being transferred or used. But, clearly, the behavior itself raises questions and privacy risks for TikTok users. TikTok argues that the “keypress” and “keydown” inputs identified by Krause are common inputs claiming it is incorrect to make the assumptions about their use based only on the code being highlighted by the research. To back this up the spokesperson pointed to some non-TikTok same code from GitHub which they suggested would trigger exactly the same response being cited by the research as evidence of improper data collection but is rather being used to a trigger a command known as ‘StopListening’ that they said would specifically prevent an application capturing what is typed. They further claimed the JavaScript code highlighted by the research is used purely for debugging, troubleshooting and performance monitoring of the in-app browser to optimize the user experience, such as checking how quickly a page loads or whether it crashes. And said the JavaScript in question is also part of an SDK it’s using — further claiming that just because certain code exists does not mean the company is using it. The spokesperson also emphasized the distinction between permissions allowing apps to access certain categories of information on a user’s device (aka, to “invoke”) as opposing to collecting or processing data according to app store policies — suggesting many elements associated with the categories of information in question may be analyzed locally on the device without the information itself ever being collected by TikTok.
TikTok’s spokesperson also told us it does not offer users an option not to use its in-app browser because it would require directing them outside the app which they argued would make for a clunky, less slick experience They also reiterated a previous public TikTok denial that it engages in keystroke logging (i.e. the capturing of content) but suggested it may use keystroke information to detect unusual patterns or rhythms, such as if each letter typed is exactly 1 key per second, to help protect against fake logins, spam-like comments, or other behavior that may threaten the integrity of its platform. TikTok’s spokesperson went on to suggest the level of data gathering it engages in is akin to other apps which also collect information about what users search for within the app to be able to recommend relevant content and personalize the service. They confirmed that users who browse web content within its app are tracked for similar personalization such as to select relevant videos to show in their For You feed. TikTok may also collect data on user activity elsewhere, on advertiser’s apps and websites, when those third party companies elect to share such data with it, they further noted. Meta-owned apps Instagram, Facebook and FB Messenger, were also found by Krause to be modifying third party sites loaded via their in-app browsers — with “potentially dangerous” commands, as he puts it — and we’ve also approached the tech giant for a response to the findings. Privacy and data protection are regulated in the European Union, by laws including the General Data Protection Regulation (GDPR) and the ePrivacy Directive, so any tracking being undertaken of users in the region that lacks a proper legal base could lead to regulatory sanction. Both social media giants have already been subject to a variety of EU procedures, investigations and enforcements around privacy, data and consumer protection concerns in recent years with a number of probes ongoing and some major decisions looming.
Source: This news is originally published by techcrunch