According to security researcher Felix Krause, TikTok’s custom in-app browser on iOS injects JavaScript code into external websites, allowing TikTok to monitor “all keyboard input and clicks” when users interact with a given website, but TikTok has reportedly denied that the code was used for malicious behavior.
According to security researcher Felix Krause, TikTok’s custom in-app browser on iOS injects JavaScript code into external websites, allowing TikTok to monitor “all keyboard input and clicks” when users interact with a given website, but TikTok has reportedly denied that the code was used for malicious behavior.
Krause said the browser within the TikTok App “subscribes” to all keyboard input, including any sensitive details such as passwords and credit card information, as well as every click on the screen, when users interact with external websites.
“From a technical perspective, this is the equivalent of installing a keylogger on a third-party website,” Krause wrote of the JavaScript code injected into TikTok. However, the researchers added that “the mere fact that the app injects JavaScript into an external website does not mean that the app is doing anything malicious.”
In a statement shared with Forbes, a TikTok spokesperson acknowledged the faulty JavaScript code, but said it was only used for debugging, troubleshooting and performance monitoring to ensure “the best user experience.”
“As with other platforms, we use the in-app browser to provide the best user experience, but the Javascript code in question is only used for debugging, troubleshooting and performance monitoring — for example, to check page load speeds or if it crashes.”
Krause said that users who want to protect themselves from any potentially malicious use of in-app browser JavaScript code should switch to using the platform’s default browser access to view a given link whenever possible, such as Safari on iPhone and iPad.
According to Krause, Facebook and Instagram are two other problematic applications that insert JavaScript code into external websites that are loaded in the in-app browser, allowing the apps to track user activity. A spokesperson for Facebook and Instagram parent company Meta said in a tweet that the company “intentionally developed this code to respect people’s app tracking transparency (ATT) choices on our platform. Meta Instagram violated Apple’s iOS Privacy Policy when it was revealed that it tracked users’ web activity through an in-app browser.
Krause said he created simple tools that allow anyone to check if the in-app browser is injecting JavaScript code when presenting a website. Users simply open the app they want to analyze, share the address InAppBrowser.com somewhere within the app (for example, by sending a message directly to another person), click on the link within the app to be in the -app browser, and read the details of the displayed report, the researchers said.
Apple did not immediately respond to a request for comment.
A further statement from a TikTok spokesperson said that
"The report's conclusions about TikTok are incorrect and misleading. The researchers clearly state that the JavaScript code does not imply that our application is doing anything malicious and acknowledge that they have no way of knowing what kind of data is being collected by the browser within our application. We do not collect keystrokes or text input through this code, which is used only for debugging, troubleshooting and performance monitoring."
According to a TikTok spokesperson, the JavaScript code is part of a software development kit (SDK) being utilized by TikTok, and the “keypress” and “keydown” functions mentioned by Krause are common inputs that TikTok does not use for keystroke recording.
