One security researcher’s recent probe into the inner workings of the TikTok app has revealed it injects JavaScript code into any and all links opened through its in-app browser that can track and record everything from taps to keystrokes on a webpage (via Forbes).
Theoretically, this means that TikTok could record users’ passwords and credit card information.
“This was an active choice the company made,” said Felix Krause, founder of the popular developer tool Fastlane. “This is a non-trivial engineering task. This does not happen by mistake or randomly.”
Krause previously investigated Meta’s Facebook and Instagram apps, alleging that they could do the same. Krause found that Meta’s iOS apps could bypass Apple’s App Tracking Transparency rules by routing external links through their own browsers, and so can TikTok.
After Krause’s analysis went public, Meta vehemently denied using its in-app browser to track users. TikTok, meanwhile, has admitted these possibly privacy-endangering features exist within its app but said outright that the company is not using them.
“Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,” a TikTok spokesperson said in a statement.
TikTok’s privacy practices have come under fire in recent months. A June report indicated that the company repeatedly accessed non-public data belonging to U.S.-based TikTok users in China, despite having promised to separate its U.S. operations from its home base in China.
TikTok added that the JavaScript code in question is part of a third-party software development kit (SDK). According to the company, there are several parts of the SDK that its mobile app does not use.
Krause’s research demonstrates that companies like Meta and TikTok are injecting code into their in-app browsers that could be used to track users. It does not, however, prove that any data is actually being collected.
As with the Instagram and Facebook apps, users can avoid even the mere possibility of being tracked through TikTok’s in-app browser by simply not using it.
Most in-app browsers have an “Open in Browser” option that opens links in Safari (or Chrome, if you’re using Android) instead. Users can also simply copy the website’s address and paste it into Safari.
