TikTok’s In-App Browser Contains Code That Follows Your Every Move

tiktok app

TikTok can track its users’ every tap, keyboard input, and keystroke through its iOS in-app browser.

Ex-Google Engineer and privacy researcher, Felix Krause published a report on Thursday which revealed that when TikTok users enter a website through a link on the iOS app, TikTok inserts code that can monitor much of their activity on these outside websites.

The tracking would make it possible for TikTok to capture a user’s credit card information or password.

Krause’s security tool, InAppBrowser.com, showed that TikTok has the ability to track this activity because it injects lines of the programming language JavaScript into the websites visited through its in-app browser, creating new commands that alert TikTok to what people are doing on those websites.

TikTok can track this activity by injecting lines of the programming language JavaScript into the websites visited within the app, creating new commands that alert TikTok to what people are doing in those websites.

“This was an active choice the company made,” says Krause. “This is a non-trivial engineering task. This does not happen by mistake or randomly.”

For his research, Krause tested seven iPhone apps that use in-app browsers: TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon, and Robinhood. He did not test the Android versions of these apps.

Of the seven apps Krause tested, TikTok is the only one that appears to monitor keystrokes and seemed to be monitoring more activity than the rest.

While Krause’s research reveals the code companies including TikTok and Facebook parent Meta are injecting into websites from their in-app browsers, the research does not show that these companies are actually using that code to collect data, and send it to their servers or share it with third parties.

Krause notes, though, that “just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious”.

“There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used,” Krause adds.

In a statement shared with Forbes, TikTok spokesperson Maureen Shanahan acknowledged the JavaScript code in question. However, Shanahan strongly rebuffed the idea that TikTok tracked users in its in-app browser.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting, and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,” Shanahan tells Forbes.

This ability to track users’ activity across websites is not limited to TikTok. Last week, Krause revealed that Meta, the parent company of Instagram and Facebook, has been injecting code into websites its users visit so that the company can track them across the internet after they click links in its apps.

Image credits: Header photo licensed via Depositphotos.