Any activity on third-party websites that opens within the app rather than an external window is referred to as in-app browsing. The popular video sharing platform TikTok is one of the many apps that use in-app browsers.
Krause says his security tool, InAppBrowser.com, found that TikTok iOS in-app browser “subscribes” to all keyboard inputs when a user interacts with an external website, including any sensitive information like credit card details and passwords, along with every touch on the screen.
“There is no way for us to know the full details on what kind of data each in-app browser collects, or how – or if – the data is being transferred or used,” he said.
When opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input (which may include credit card details, passwords or other sensitive information)
TikTok also has code to observe all taps, like clicking on any buttons or links. pic.twitter.com/Dcv0N4ccKD
— Felix Krause (@KrauseFx) August 18, 2022
TikTok described the report’s findings as inaccurate and misleading, pointing out that Krause specifically states that the presence of the code does not imply that the app is acting maliciously.
The “keypress” and “keydown” functions cited by Krause are standard inputs that TikTok does not employ for keystroke recording, TikTok stated, further noting that the code is a component of a third-party software development kit.
The hugely popular short video app, which is owned by the Chinese firm ByteDance, has drawn criticism in multiple countries for having ties to the Chinese government. In the US, former president Donald Trump even attempted to ban TikTok by executive order.
In June, an American communications regulator official urged Apple and Google to ban the app over “national security” concerns.
Krause’s study examined a total of seven in-app browser-enabled iPhone apps, including TikTok, Facebook, Instagram, Facebook Messenger, Amazon, Snapchat, and Robinhood. Of them, TikTok was the only one that seems to track keystrokes, according to Krause.
Facebook and Instagram both track every tap on a website like TikTok.
The latest research follows a previous report by Krause on in-app browsers earlier this month that focused specifically on Meta-owned applications Facebook, Instagram, and Facebook Messenger.
Meta said the claims were false and misrepresented how Meta’s in-app browser and Pixel work.
“We intentionally developed this code to honour people’s App Tracking Transparency choices on our platforms,” Meta told Computing.