TikTok’s In-App Browser Can Track Your Keystrokes, Says Researcher
Theoretically, this means that TikTok could record users’ passwords and credit card information.
“This was an active choice the company made,” said Felix Krause, founder of the popular developer tool Fastlane. “This is a non-trivial engineering task. This does not happen by mistake or randomly.”
Krause previously investigated Meta’s Facebook and Instagram apps, alleging that they could do the same. Krause found that Meta’s iOS apps could bypass Apple’s App Tracking Transparency rules by routing external links through their own browsers, and so can TikTok.
After Krause’s analysis went public, Meta vehemently denied using its in-app browser to track users. TikTok, meanwhile, has admitted these possibly privacy-endangering features exist within its app but said outright that the company is not using them.
TikTok’s privacy practices have come under fire in recent months. A June report indicated that the company repeatedly accessed non-public data belonging to U.S.-based TikTok users in China, despite having promised to separate its U.S. operations from its home base in China.
Krause’s research demonstrates that companies like Meta and TikTok are injecting code into their in-app browsers that could be used to track users. It does not, however, prove that any data is actually being collected.
As with the Instagram and Facebook apps, users can avoid even the mere possibility of being tracked through TikTok’s in-app browser by simply not using it.
Most in-app browsers have an “Open in Browser” option that opens links in Safari (or Chrome, if you’re using Android) instead. Users can also simply copy the website’s address and paste it into Safari.