TikTok logs the keystrokes of users with its in-app browser on Apple devices, including passwords and credit card numbers, according to a researcher who used to work for Google and Twitter.
Of the seven most popular iOS apps analyzed, Beijing-based TikTok was the only one that didn’t give users the option to open links with a third-party browser.
Krause found that TikTok’s iOS app “monitors all taps happening on websites, including taps on all buttons and links” accessed via its in-app browser.
“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information, and other sensitive user data (keypress and keydown),” Krause wrote.
“We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”
TikTok confirmed that the code exists in its iOS app, but claimed that it doesn’t use it.
“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting, and performance monitoring of that experience—like checking how quickly a page loads or whether it crashes,” TikTok spokesperson Maureen Shanahan said in a statement obtained by Krause.
Krause analyzed TikTok, Facebook, Instagram, Snapchat, Amazon, Robinhood, and Messenger with a tool he developed called InAppBrowser.com.
According to the report, only Snapchat and Robinhood didn’t inject any JavaScript code. Facebook, Instagram, and Messenger injected some code, but Krause said that “doesn’t mean the app is doing anything malicious.”
The Risks
Krause said the risk occurs when users open links while using an iOS app, such as TikTok, and view the rendered webpage inside that app instead of opening the link with a third-party browser, such as Safari or Chrome.This happens “without the consent from the user, nor the website provider,” he said.
For example, a person who uses the Safari app on their iPhone may have their login or credit card information saved for convenience. But if they visit a page with TikTok’s in-app browser, any login or payment information will need to be entered fresh. Those keystrokes are being monitored, according to the report.
“This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap,” Krause wrote.
Experts have long warned that TikTok can’t be trusted due to the company’s ties to the Chinese Communist Party (CCP). This has brought the company under scrutiny.
Casey Fleming, CEO of intelligence and security strategy firm BlackOps Partners, has said that the CCP is engaged in “unrestricted warfare” as it seeks to supplant the United States to become the world’s sole superpower.
“All technology coming out of China—either manufactured in China, created in China—is controlled by the CCP,” he said.
“TikTok is a weaponized espionage platform controlled by the CCP in the hands of most of your kids and young adults. It is what war looks like today—hybrid warfare. It should be banned by the U.S. government immediately.”
The vast amount of data TikTok collects about its users, mostly young Americans, makes the app a risk, according to another expert, who said the app could be used to spy on Americans.