TikTok's In-App Browser Reportedly Capable of Monitoring Anything You Type

TikTok's custom in-app browser on iOS reportedly injects JavaScript code into external websites that allows TikTok to monitor "all keyboard inputs and taps" while a user is interacting with a given website, according to security researcher Felix Krause, but TikTok has reportedly denied that the code is used for malicious reasons.

tiktok logo
Krause said TikTok's in-app browser "subscribes" to all keyboard inputs while a user interacts with an external website, including any sensitive details like passwords and credit card information, along with every tap on the screen.

"From a technical perspective, this is the equivalent of installing a keylogger on third party websites," wrote Krause, in regards to the JavaScript code that TikTok injects. However, the researcher added that "just because an app injects JavaScript into external websites, doesn't mean the app is doing anything malicious."

In a statement shared with Forbes, a TikTok spokesperson acknowledged the JavaScript code in question, but said it is only used for debugging, troubleshooting, and performance monitoring to ensure an "optimal user experience."

"Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes," the statement said, according to Forbes.

Krause said users who wish to protect themselves from any potential malicious usage of JavaScript code in in-app browsers should switch to viewing a given link in the platform's default browser if possible, such as Safari on the iPhone and iPad.

"Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser," wrote Krause. "During this analysis, every app besides TikTok offered a way to do this."

Facebook and Instagram are two other apps that insert JavaScript code into external websites loaded in their in-app browsers, giving the apps the ability to track user activity, according to Krause. In a tweet, a spokesperson for Facebook and Instagram parent company Meta said that the company "intentionally developed this code to honor people's App Tracking Transparency (ATT) choices on our platforms."

Krause said he created a simple tool that allows anyone to check if an in-app browser is injecting JavaScript code when rendering a website. The researcher said users simply need to open an app they wish to analyze, share the address InAppBrowser.com somewhere inside the app (such as in a direct message to another person), tap on the link inside the app to open it in the in-app browser, and read the details of the report shown.

Apple did not immediately respond to a request for comment.

Update: A spokesperson for TikTok issued the following statement to MacRumors.

"The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring."

According to the TikTok spokesperson, the JavaScript code is part of a software development kit (SDK) that TikTok is leveraging, and the "keypress" and "keydown" functions mentioned by Krause are common inputs that TikTok does not use for keystroke logging.

Tag: TikTok

Top Rated Comments

sniffies Avatar
5 weeks ago
TikTok is a tikking bomb that needs to be defused ASAP.
Score: 53 Votes (Like | Disagree)
DHagan4755 Avatar
5 weeks ago
It's owned by a Chinese company with alleged ties to the CCP. If you're concerned about it, don't use it. It's quite simple.
Score: 52 Votes (Like | Disagree)
bigandtasty Avatar
5 weeks ago
We were told TikTok was shady and monitoring people almost 2 years ago. Nothing surprising here.
Score: 42 Votes (Like | Disagree)
ian87w Avatar
5 weeks ago
This is why I hate in-app browser. Let's face it, Google, Facebook, they all do/did it, which is why they're insistence in forcing users to remain in their app with these in-app browser "experience." This is an issue on Android as well, where Google searches on Google app are sticking with Chrome/in-app browser by default even if I have another browser as my default browser.

There are always shenanigans like this. I wish for Apple to simply disable in-app browsers, and force any links to just use the default browser externally.
Score: 40 Votes (Like | Disagree)
macaddict06 Avatar
5 weeks ago
<shocked pikachu face>
Score: 37 Votes (Like | Disagree)
TheYayAreaLiving ? Avatar
5 weeks ago
I once said, never to trust Facebook. Now I’m going to say, Never trust TikTok.
Score: 24 Votes (Like | Disagree)

Related Stories

Instagram Feature 2

Analysis Suggests Instagram Tracks User Web Activity Through In-App Browser

Wednesday August 10, 2022 11:58 am PDT by
A new analysis of the Instagram app has suggested that every time a user clicks a link within the app, Instagram is capable of monitoring all of their interactions, text selections, and even text input, such as passwords and private credit card details within websites inside the app. The analysis conducted by Felix Krause found that both Instagram and Facebook on iOS use their own in-app...
facebook meta

Meta Sued Over Tracking iPhone Users Despite Apple's Privacy Features

Thursday September 22, 2022 5:12 am PDT by
Meta is facing a new proposed class action lawsuit that accuses it of tracking and collecting the personal data of iPhone users, despite features and policies made by Apple which are meant to stop that same type of tracking. In August, it was revealed that with the Facebook and Instagram apps, Meta can track all of a user's key taps, keyboard inputs, and more, when using the in-app browser....
webkit vs chromium feature

Should Apple Continue to Ban Rival Browser Engines on iOS?

Friday February 25, 2022 7:39 am PST by
Apple requires all apps that browse the web in iOS and iPadOS to use its own browser engine, WebKit, but amid accusations of anti-competitive conduct, should it continue to effectively ban rival browser engines? Big tech has been gripped by accusations of anti-competitive conduct in recent times, with Chief Executive of the UK's Competition and Markets Authority (CMA) Andrea Coscelli...
webkit logo

Web Developers Form Advocacy Group to Allow Other Browser Engines on iOS

Wednesday March 2, 2022 4:29 am PST by
Apple is being challenged by a group of developers to end WebKit's dominance on its mobile devices and allow other browser engines on iPhone and iPad, following accusations that the current situation amounts to anti-competitive conduct. For those unfamiliar with WebKit, Apple's browser engine powers Safari and other areas of the operating system where web content is displayed. Apple requires ...
applepaypromotion

Apple Pay Promo Offers Summertime Savings From Multiple Retailers

Thursday July 21, 2022 9:37 am PDT by
Apple today launched a new summer-themed Apple Pay promo offering discounts from a range of retailers like J.Crew, Crocs, Ray-Ban, and more when using Apple Pay to make a purchase. Crocs - 20% off footwear with promo code APPLEPAY. GOAT - Up to 70% off select styles when using Apple Pay. Gymboree - $15 off when you spend $50 or more with promo code APPLEPAY. J.Crew - $25 off...
Apple Pay Feature

Third-Party Browsers Starting to Support Apple Pay in iOS 16 Betas

Monday August 1, 2022 3:31 am PDT by
Apple has added Apple Pay support to third-party browsers in recent betas of iOS 16 and iPadOS 16. The added support, spotted by MacRumors contributor Steve Moser, marks a change from iOS 15 and iPadOS 15 and earlier, where in-browser Apple Pay is exclusively available in Safari. Moser found that Apple Pay is available in Microsoft Edge and Google Chrome as of iOS 16 developer beta 4, and oth...
app store blue banner uk fixed

UK Looks to Trigger Regulation Process to Target Apple's Cloud Gaming and Browser Engine Restrictions

Friday June 10, 2022 5:34 am PDT by
The UK's competition watchdog seeks to "remedy" Apple's restrictions on browser engines in iOS and cloud gaming through the App Store via a high-level regulatory process, the organization announced today. The announcement comes upon the publication of the Competitions and Markets Authority (CMA) year-long study into Apple and Google's mobile ecosystems, which finds that Apple and Google have ...
iOS App Store General Feature Dock 2

Apple Removes Scam App That Led to Hijacked Facebook Ad Accounts

Friday August 5, 2022 4:54 am PDT by
Apple has removed an app that it was unknowingly hosting on the App Store that scammed Facebook advertisers and led hackers to use advertisers' ad budgets to run possibly malicious ads on Facebook's platforms, Business Insider reports. The app previously ranked highly on the App Store when searching for "Facebook ads manager," the app used by advertisers to control their presence and ads...

Popular Stories

AirPods Max 2022 Colors

Ten Things AirPods Pro 2 Tell Us About AirPods Max 2

Saturday September 24, 2022 1:00 am PDT by
Upon the release of the second-generation AirPods Pro, the AirPods Max became the oldest current-generation AirPods product still in Apple's lineup. Introducing several new features like Adaptive Transparency and the H2 chip, the second-generation AirPods Pro may provide some of the best indications yet of what to expect from the second-generation AirPods Max. Almost two years later, rumors...
apple watch series 7 aluminum colors yellowbg

Don't Want the Apple Watch Ultra or Series 8? Amazon Has Record Low Prices on Series 7 Models This Week

Friday September 23, 2022 6:56 am PDT by
The Apple Watch Series 8 and Apple Watch Ultra are now available to purchase, but if you aren't interested in these updates you can save a lot of money on Series 7 models right now on Amazon. Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. The best deals are on cellular...
iOS 16

Apple Releases iOS 16.0.2 With Bug Fixes for iPhone 14 Pro Camera Vibration, Copy/Paste Issue and More

Thursday September 22, 2022 1:04 pm PDT by
Apple today released iOS 16.0.2, addressing a number of bugs that iPhone 14 owners have been experiencing since the new devices launched. iOS 16.0.2 comes two weeks after the launch of iOS 16, and it follows iOS 16.0.1, an update made available to iPhone 14 owners on launch day. The update is available for all iPhones that are capable of running iOS 16. The iOS 16.0.2 update can be...
14 vs 16 inch mbp m2 pro and max feature 1

New 14-Inch and 16-Inch MacBook Pros Reportedly Launching Later This Year

Friday September 23, 2022 7:08 am PDT by
Apple plans to release new MacBook Pro models in the fourth quarter of 2022, according to supply chain publication DigiTimes. The report does not mention specific models, but it very likely refers to the next-generation 14-inch and 16-inch MacBook Pros given that the 13-inch model was already updated earlier this year. There has been uncertainty surrounding the timing of new 14-inch and...
Tim Cook Apple Event

Gurman: New iPads and Macs May Be Announced Through Press Releases, No October Event

Sunday September 25, 2022 6:50 am PDT by
Apple may decide to release its remaining products for 2022, which include updated iPad Pro, Mac mini, and 14-inch and 16-inch MacBook Pro models, through press releases on its website rather than a digital event, according to Bloomberg's Mark Gurman. In his latest Power On newsletter, Gurman said that Apple is currently "likely to release its remaining 2022 products via press releases,...
Dynamic Island For Android Users Feature

Android App Copying iPhone 14 Pro's Dynamic Island Released on Play Store

Thursday September 22, 2022 7:57 am PDT by
A copycat version of the iPhone 14 Pro's Dynamic Island has arrived on Android's Google Play Store in the form of an app called "dynamicSpot." The app, still in beta, offers customers several different experiences at the top of their smartphones. In its current form, dynamicSpot offers playback control for songs, timers, battery status, and more features coming soon, according to the app's...
AirPods Pro Second Generation 2 Pairing Feature 1

AirPods Pro 2 Engravings Appear in iOS During Pairing and Connecting

Friday September 23, 2022 9:40 am PDT by
Customers who personalize their second-generation AirPods Pro charging case with an engraving will now have that engraving reflected directly on iOS as they pair and connect their AirPods Pro. Apple allows customers to personalize their AirPods Pro charging case with a special engraving that can include select emojis and Memojis. Unlike before, starting with the second-generation AirPods...
Apple Watch 6 New Features Feature 2

Six New Apple Watch Features Coming Later This Year

Friday September 23, 2022 8:12 am PDT by
With new Apple Watch Ultra and Series 8 models now in the hands of customers, Apple has brought a host of smart new features to many people's wrists. But there's more to come. Apple has a handful of additional features in store for Apple Watch Series 8 and Apple Watch Ultra owners before the year's end, and some of them are watchOS 9 functions, which means they will even work on older Apple ...
new airpods pro ear tips

Apple Explains Why Second-Generation AirPods Pro Ear Tips Are Incompatible With Original AirPods Pro

Thursday September 22, 2022 3:12 pm PDT by
Apple today explained why the new silicone ear tips for the second-generation AirPods Pro are not officially compatible with the original AirPods Pro. In an updated support document, Apple said the original AirPods Pro ear tips have "noticeably denser mesh" than the second-generation ear tips. Apple did not provide any additional details, but the mesh density could result in acoustical...