Researcher Claims TikTok Could Be Secretly Tracking Your Keystrokes

tiktok tracking keyboard research news
We wrote last week about research showing that Meta takes advantage of the in-app browser feature on mobile devices to inject JavaScript into web pages viewed in the Facebook, Instagram, and Messenger mobile apps. Now that same researcher has found that the TikTok in-app browser injects JavaScript which functions similar to a keylogger to record all keyboard inputs and taps on page elements.

Many mobile apps let users click on links and visit the linked webpages within the app, rather than opening the device’s default browser app. Apple offers a restricted Safari viewport that developers can include in their iOS apps for this purpose. However, developers can also create their own in-app browsers, and it turns out that some developers build their own in-app browsers to inject JavaScript into webpages.

Felix Krause first discovered this behavior in Meta mobile apps, but he didn’t stop his searching there. After developing a rudimentary tool to detect JavaScript injection for his research on Meta apps, the researcher decided to develop this tool into one that can be used by the public. He then went to work testing more in-app browsers with this tool. What this further research shows is that TikTok’s in-app browser injects even more invasive code than the in-app browsers in Meta apps.

inappbrowser tiktok results
The InAppBrowser.com tool showing the JavaScript injection in TikTok’s in-app browser (click to enlarge) (source: Felix Krause)

Krause’s JavaScript injection tool revealed that TikTok’s in-app browser injects code that listens for every key input entered into webpages viewed within the app. This means that TikTok could potentially record all text, including passwords, credit card details, and any other sensitive information entered into websites accessed by way of its in-app browser. The TikTok mobile app also injects code that can detect every tap on webpage elements, such as buttons, links, and images, and read the name of each element as users interact with it. In addition to injecting this JavaScript, unlike many other in-app browsers, TikTok’s in-app browser doesn’t include an option allowing users to open webpages in their devices’ default browsers. Thus, if users want to avoid TikTok’s in-app browser, they have to manually copy links shown in the app and paste them into the browser app of their choice.

In a statement reported by Forbes, Maureen Shanahan, a spokesperson for TikTok, acknowledged that its in-app browser injects code, but said that it has a legitimate use. “Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes.”

in app browser info table
Table showing various in-app browsers’ behavior (source: Felix Krause)

We can’t help but be skeptical of this statement when TikTok has a history of going to great lengths to access and collect user information. The TikTok app has previously monitored iOS users’ keyboards, even after the company promised to remove this behavior, exploited a security vulnerability to uniquely identify Android devices, and stated that it may collect faceprints and voiceprints. This excessive collection of user data is particularly concerning given that leaked audio recordings recently revealed that US TikTok employees don’t have a good handle on where user data goes. Some US TikTok data scientists still receive direct orders from ByteDance’s main office in Beijing, China, prompting an FCC Commissioner to publish a letter asking Apple and Google to ban TikTok from their app stores.