Child holding smartphone with TikTok icon on phone showing TicTok browser tracking keystrokes

Security Researcher Finds That TikTok Browser Is Tracking Keystrokes

A security researcher has raised alarms about the TikTok browser embedded in the popular app, presenting evidence that it is capable of tracking keystrokes. The company responded to the report by confirming that the ability exists within the app’s code, but that it is not active and that it is only used internally for debugging and testing purposes.

Security researcher Felix Krause, a former Google engineer, notes that even having this ability present in an app is highly unusual and something that is usually only done by malware and spyware. Though TikTok does not appear to be actively tracking keystrokes at present, it is possible for it to do so when the user clicks on an external link within the app.

TikTok browser contains code that could log user keystrokes when visiting web pages

A number of messaging and retail apps have incorporated integrated web browsers to keep users within the app when following external links included in product promotions or posted by other users. The app browser will generally activate when the user clicks on a link within the app.

Krause presented the research as part of his promotion for InAppBrowser.com, a new service that identifies what JavaScript commands these in-app browsers are injecting when web pages are loaded. Other major browsers of this type both modify the web page and insert some sort of JavaScript: Instagram, Facebook, Facebook Messenger and Amazon being the biggest examples. But most of these are for non-malicious purposes, such as integrating app features and functionality with the external web page. The TikTok browser was the only one studied that was found to have the capability of tracking keystrokes, something that could be used to capture user login credentials, credit card numbers and private messages.

Some other apps, such as Instagram, monitor everything the user taps on or selects for advertising and analytics purposes. The TikTok browser goes a step further by monitoring every keyboard input along with all taps and highlights/selections. It is common for app developers to implement tools for tracking keystrokes while they are testing the app during development, as TikTok claims this is for, but this functionality is nearly always removed in the final public product. Krause said that he could not find evidence that the TikTok browser was actively logging information, but that it was also not possible to rule out the possibility.

This is the second incident for TikTok involving questionable and invasive logging in recent years. In 2020, the app was found to be constantly scanning iOS clipboards for text or items that were cut/copied and pasted. In March of 2020 TikTok declared that it would remove this from the app, but follow-up studies later in the year found that it was still going on.

Possibility of ByteDance tracing keystrokes adds to mounting security concerns about TikTok

The TikTok browser is just the latest security and privacy issue that has emerged, as the company is already under long-running scrutiny dating back to its inception as Musical.ly. Over time, the issues with TikTok have evolved from how it handles the personal data of minors on the platform to how much access its staff in China (and by extension the national government) may have to users in the US and other countries. A recent internal leak from the company exposed engineers, staff and contractors discussing access to US user information by engineers based in China, a possibility that was supposed to have been eliminated when TikTok was threatened with deplatforming by the Trump administration.

While it is impossible to say with certainty if TikTok is tracking keystrokes for the purpose of logging information, the company has said that it analyzes the pace and cadence of typing as a means of detecting bot activity and other security risks (the company says that automated scripts sometimes have telltale signs of this nature, like always appearing to press keys at uniform time intervals).  The TikTok browser report is already drawing some regulatory scrutiny, however, with Ireland’s Data Protection Commission saying that the findings have prompted a meeting with both TikTok and Meta about the issue.

Alarms raised about embedded TikTok browser capable of tracking keystrokes. Company confirmed that the ability exists within the code, but that it is not active and only used internally for debugging and testing purposes. #privacy #respectdataClick to Tweet

Defending against these pieces of hidden code (and the possibility of apps tracking keystrokes through them) can be as simple as only opening web links in a trusted browser, such as Safari, but most of the embedded app browsers make this at least somewhat difficult. For example, both TikTok and Meta’s family of apps require you to first open their in-app browser to change the settings and have an external browser open links instead. It can also require some combing through menus to find these settings. Krause’s InAppBrowser can also check these in-app browsers for the possible insertion of JavaScript, but he notes that this code can also be hidden.

 

Senior Correspondent at CPO Magazine