TikTok Can Monitor Keystrokes of Users in iOS App's Browser: Expert

TikTok Can Monitor Keystrokes of Users in iOS App's Browser: Expert
Users browse through the Chinese-owned video-sharing TikTok app on a smartphones in Amritsar, India, on June 30, 2020. (Narinder Nanu/AFP via Getty Images)
Caden Pearson

TikTok logs the keystrokes of users with its in-app browser on Apple devices, including passwords and credit card numbers, according to a researcher who used to work for Google and Twitter.

App developer and privacy researcher Felix Krause published a report on the risks associated with some iOS apps injecting JavaScript code into third-party browsers.

Of the seven most popular iOS apps analyzed, Beijing-based TikTok was the only one that didn't give users the option to open links with a third-party browser.

Krause found that TikTok's iOS app "monitors all taps happening on websites, including taps on all buttons and links" accessed via its in-app browser.

"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information, and other sensitive user data (keypress and keydown)," Krause wrote.

"We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites."

TikTok confirmed that the code exists in its iOS app, but claimed that it doesn't use it.

"Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting, and performance monitoring of that experience—like checking how quickly a page loads or whether it crashes,” TikTok spokesperson Maureen Shanahan said in a statement obtained by Krause.

Krause analyzed TikTok, Facebook, Instagram, Snapchat, Amazon, Robinhood, and Messenger with a tool he developed called InAppBrowser.com.

According to the report, only Snapchat and Robinhood didn't inject any JavaScript code. Facebook, Instagram, and Messenger injected some code, but Krause said that "doesn’t mean the app is doing anything malicious."

"Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used," Krause wrote.

The Risks

Krause said the risk occurs when users open links while using an iOS app, such as TikTok, and view the rendered webpage inside that app instead of opening the link with a third-party browser, such as Safari or Chrome.
Some JavaScript code allows apps to know how long the user visited the linked website, which links they opened, what they tapped on, location data if enabled, and even record the user or "parse their face" while browsing, Krause noted in a 2018 blog post.

This happens "without the consent from the user, nor the website provider," he said.

For example, a person who uses the Safari app on their iPhone may have their login or credit card information saved for convenience. But if they visit a page with TikTok's in-app browser, any login or payment information will need to be entered fresh. Those keystrokes are being monitored, according to the report.

"This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap," Krause wrote.

Experts have long warned that TikTok can't be trusted due to the company's ties to the Chinese Communist Party (CCP). This has brought the company under scrutiny.

Chinese security laws compel companies to cooperate with intelligence agencies when asked. TikTok has said that it would not comply with any requests by the CCP for user data.

Casey Fleming, CEO of intelligence and security strategy firm BlackOps Partners, has said that the CCP is engaged in “unrestricted warfare” as it seeks to supplant the United States to become the world’s sole superpower.

“All technology coming out of China—either manufactured in China, created in China—is controlled by the CCP,” he said.

“TikTok is a weaponized espionage platform controlled by the CCP in the hands of most of your kids and young adults. It is what war looks like today—hybrid warfare. It should be banned by the U.S. government immediately."

The vast amount of data TikTok collects about its users, mostly young Americans, makes the app a risk, according to another expert, who said the app could be used to spy on Americans.

“If you want to spy on a country, why send in a spy the old-fashioned way? Why not just send in a great app and make it go viral?” said Gary Miliefsky, a cybersecurity expert and publisher of Cyber Defense Magazine, in a statement previously obtained by The Epoch Times.
Related Topics