TikTok monitors everything users type when using in-app browser

Posted:
in General Discussion edited August 19
TikTok's in-app browser injects JavaScript into external websites, allowing the app to monitor all input, including passwords and credit card numbers.




In 2020, it was discovered that TikTok had been accessing users' clipboards. Now, TikTok has been found snooping on its users once again.

According to security researcher Felix Krause, whenever users open a link in TikTok, the app is then allowed to monitor everything a user does on that external website. This includes anything typed, as well as taps on buttons and links.

"This was an active choice the company made," Krause told Forbes. "This is a non-trivial engineering task. This does not happen by mistake or randomly."

A TikTok spokesperson told Forbes that the code isn't malicious but instead is used for "debugging, troubleshooting, and performance monitoring."

Additionally, TikTok claimed that the JavaScript is part of a third-party software development kit but did not disclose who made it.

Krause could not say whether or not TikTok has been collecting data from users, merely that it can.

To avoid being monitored, Krause suggests opening links shared in TikTok -- and nearly every other service with an in-app browser -- with Safari.

Update

TikTok reached out to AppleInsider to provide the following statement.

"The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring."

Read on AppleInsider
«1

Comments

  • Reply 1 of 27
    I am SO surprised....NOT.
    williamlondondewmepulseimagesjony0watto_cobra
  • Reply 2 of 27
    Remember this when you hear developers complain about not having their own App Store and full control. Things will get worse. 
    baconstangJaiOh81fred1Andy.Hardwakewilliamlondontdknoxdewmepulseimagesjony0FileMakerFeller
  • Reply 3 of 27
    Yeah, let's open up the phone so any app can do anything they want. If they can still pull this BS with the current safeguards in place, surely things would be better with no safeguards. /s

    And IMO, TikTok is an absolute scourge on humanity. I refuse to use it. There are so many negatives with that app. People are addicted, it creates an echo chamber, wastes time, shortens attention spans shorter than they already are, instant satisfaction machine, and propagates DANGEROUS fads. I know I sound like a boomer, but I'm a millennial and I see nothing but severe badness and societal detriment in TikTok. Not even to mention the absurd amount of data harvesting it is obviously doing, as demonstrated here.
    edited August 18 baconstangchadbagmuthuk_vanalingamwilliamlondondewmejony0watto_cobra
  • Reply 4 of 27
    chadbagchadbag Posts: 1,743member
    Anyone stupid enough to use Tik Tok gets what they deserve.  
    iOS_Guy80dewmeseanjjony0watto_cobra
  • Reply 5 of 27
    MadbumMadbum Posts: 162member
    Those of you who use 49 percent communist China owned Epic games, same situation!!
    williamlondon9secondkox2jony0watto_cobra
  • Reply 6 of 27
    Remember this when you hear developers complain about not having their own App Store and full control. Things will get worse. 
    Remember that Apple is the sole source of apps and we have TikTok iOS apps stealing passwords and credit card numbers.  Good job, Apple.
    RudeBoyRudybobolicious
  • Reply 7 of 27
    davidwdavidw Posts: 1,651member
    ITGUYINSD said:
    Remember this when you hear developers complain about not having their own App Store and full control. Things will get worse. 
    Remember that Apple is the sole source of apps and we have TikTok iOS apps stealing passwords and credit card numbers.  Good job, Apple.

    I would think the point made by the OP is that if a developer (like TikTok) can get such an app into the Apple App Store, image how much easier it would be for developers to get such an app into a third party app store. Things will get worse ...... you can't  really argue that point.  Unless you go off using some form of logical fallacy.
    edited August 19 fred1danoxwilliamlondondewme9secondkox2space808jony0bloggerblogwatto_cobra
  • Reply 8 of 27
    boboliciousbobolicious Posts: 1,007member
    ITGUYINSD said:
    Remember this when you hear developers complain about not having their own App Store and full control. Things will get worse. 
    Remember that Apple is the sole source of apps and we have TikTok iOS apps stealing passwords and credit card numbers.  Good job, Apple.
    Call me surprised... Is Apple zeitgeist risking becoming a bicycle for the shareholder vs the mind...?
    https://247wallst.com/technology-3/2021/08/06/whats-up-with-apple-pushback-on-apple-privacy-security-claims/

    edited August 19 williamlondon
  • Reply 9 of 27
    bloggerblogbloggerblog Posts: 2,262member
    I imagine every app monitors everything you do in their app and their internal app browser, LinkedIn and YouTube included. You think when you open a web link in LinkedIn to their internal browser that Microsoft doesn’t collect every keystroke? They do
    danoxwaveparticledewmejony0watto_cobra
  • Reply 10 of 27
    22july201322july2013 Posts: 3,063member
    Madbum said:
    Those of you who use 49 percent communist China owned Epic games, same situation!!
    Perhaps that should include all the games made with Epic's Unreal Engine:

    https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games <--
    watto_cobra
  • Reply 11 of 27
    avon b7avon b7 Posts: 6,343member
    davidw said:
    ITGUYINSD said:
    Remember this when you hear developers complain about not having their own App Store and full control. Things will get worse. 
    Remember that Apple is the sole source of apps and we have TikTok iOS apps stealing passwords and credit card numbers.  Good job, Apple.

    I would think the point made by the OP is that if a developer (like TikTok) can get such an app into the Apple App Store, image how much easier it would be for developers to get such an app into a third party app store. Things will get worse ...... you can't  really argue that point.  Unless you go off using some form of logical fallacy.
    Third party app stores can be just as good, better or worse than the App Store.

    How good they are or aren't isn't relevant. It's about competition and choice. 
  • Reply 12 of 27
    sphericspheric Posts: 2,251member
    For context, Meta (Facebook, Instagram) injects JavaScript to track users (regardless of "Do Not Track" settings) into all pages loaded in the in-app browsers. 

    It would not surprise me if they're monitoring keystrokes. They certainly monitor every single keypress within their apps otherwise. 

    https://www.theguardian.com/technology/2022/aug/11/meta-injecting-code-into-websites-visited-by-its-users-to-track-them-research-says
    edited August 19 space808jony0watto_cobra
  • Reply 13 of 27
    jcs2305jcs2305 Posts: 1,305member
    Yeah, let's open up the phone so any app can do anything they want. If they can still pull this BS with the current safeguards in place, surely things would be better with no safeguards. /s

    And IMO, TikTok is an absolute scourge on humanity. I refuse to use it. There are so many negatives with that app. People are addicted, it creates an echo chamber, wastes time, shortens attention spans shorter than they already are, instant satisfaction machine, and propagates DANGEROUS fads. I know I sound like a boomer, but I'm a millennial and I see nothing but severe badness and societal detriment in TikTok. Not even to mention the absurd amount of data harvesting it is obviously doing, as demonstrated here.
    Like a true Milennial it's the apps fault kids do stupid shit ( fads ) and get hurt, or feed into stupid propoganda? This report is off of the heals of Facebook and Instagram being looked for the ability to do the same keystroke logging.


    Personally I enjoy Tiktok.. The silly fun stuff .. the other nonsense political BS I stay away from. I am older than you but not a boomer ( GenX ) and the throwback music and stuff from back in the day is a good time. Abuddy of mine live streamed DJ sets from his house on Tiktok and FB during the lockdown. I hate social media overall but damn that was awesome to be able to hear a real DJ live while the world was locked down B)   I do not use any other social media and do not post videos or use my real name or Photo ( I have a headhshot of Chappelle as Silk Johnson for my prof pic ).

    What I am getting from this is do not buy anything from within the app or view any product sites from within the app either.  There are a lot of videos that are actually paid endorsements for the users that allow you to purchase things from within the app. You have an option to stay within the app or open in safari away from the app. I personally wouldn't buy any of that junk, especially through an app that isn't actually the product manufacturer's website.

    "the only option to avoid this privacy risk is to cut out of its app altogether and use a mobile browser to directly load the link (and if you can’t copy-paste it you’ll have to be able to remember the URL to do that)."

    Tiktok is a free app it doesn't shock me in the least that they are tracking to try and gleen info to push more videos and products within their free app.


    TikTok argues that the “keypress” and “keydown” inputs identified by Krause are common inputs — claiming it is incorrect to make the assumptions about their use based only on the code being highlighted by the research.

    To back this up the spokesperson pointed to some non-TikTok same code from Github which they suggested would trigger exactly the same response being cited by the research as evidence of improper data collection but is rather being used to a trigger a command known as ‘StopListening’ that they said would specifically prevent an application capturing what is typed.

    I guess Github should be added the the list as well for running this same type of code?






  • Reply 14 of 27
    y2any2an Posts: 132member
    In-AP browsers are evil and Apple should reject them. 
    williamlondonseanjwatto_cobra
  • Reply 15 of 27
    There are serious problems with Apple's own Messages app. I am getting numerous messages from unknown source enticing I to click the links in the message. Obviously these messages are from criminals. I also receive many phones calls from Apple's own Phone app. They are obviously trying to commit fraud. Yet our FBI and FCC are doing nothing to stop or arrest these criminals. Domestic terroisim is more serious in US. Yet the government and congress is obsessed with the hatred toward China. 
    williamlondon
  • Reply 16 of 27
    coolfactorcoolfactor Posts: 1,916member
    Remember this when you hear developers complain about not having their own App Store and full control. Things will get worse. 

    While I agree with you, couldn't the same argument be made that this "vulnerability" exists even with the App Store protections in place? With this news, will Apple remove TikTok from the store until it's resolved?

    As for the spokesperson's response... "debugging, troubleshooting, and performance monitoring", the first two don't belong in the public release of an app, so they are lying. This is spying, plain and simple.
    watto_cobra
  • Reply 17 of 27
    coolfactorcoolfactor Posts: 1,916member
    There are serious problems with Apple's own Messages app. I am getting numerous messages from unknown source enticing I to click the links in the message. Obviously these messages are from criminals. I also receive many phones calls from Apple's own Phone app. They are obviously trying to commit fraud. Yet our FBI and FCC are doing nothing to stop or arrest these criminals. Domestic terroisim is more serious in US. Yet the government and congress is obsessed with the hatred toward China. 

    What are you talking about? Neither the Messages app nor the Phone app are at fault for spammy incoming messages or phone calls. You're not getting called "from Apple's own Phone app". It's receiving the call.

    it's up to you to verify, delete and block such requests that make it through the filtering.
    gatorguyjony0watto_cobra
  • Reply 18 of 27
    Tik tok is a Trojan. Plain and simple. 
    edited August 19 watto_cobra
  • Reply 19 of 27
    seanjseanj Posts: 298member
    People who use TikTok or Twatter should delete them and get a life instead.
    watto_cobra
  • Reply 20 of 27
    Madbum said:
    Those of you who use 49 percent communist China owned Epic games, same situation!!
    Perhaps that should include all the games made with Epic's Unreal Engine:

    https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games <--
    I’m not a gamer, but this list raises the question whether there is any relevant other engine?
    watto_cobra
Sign In or Register to comment.