Can TikTok monitor your keystrokes?

Can TikTok monitor your keystrokes? Currently, some researchers have discovered that the in-app browser, which is part of the app itself, includes a code to keep an eye on all your activity on outside websites. Then, TikTok could be using it to capture a user’s confidential information, such as credit card information or passwords.

In other words, when you tap on TikTok ads or visit links on a creator’s profile, the app opens the page with its internal browser and rewrites parts of web pages by injecting lines of the programming language JavaScript into the websites visited with new commands that alert TikTok to what people are doing on those websites.

According to Felix Krause, founder of Fastlane (a service for testing and deploying apps, which Google acquired five years ago) and the discovery’s author, this feature is either a non-trivial engineering task or a mistake made randomly.

And although TikTok tried to defend itself from the strong statements, the company had to confirm the existence of those features in the code, claiming in turn that despite this, Tiktok had never used the data. Likewise, her spokeswoman, Maureen Shanahan, stated that the JavaScript code in question is part of a third-party software development kit, or SDK, a set of tools only used for debugging, troubleshooting, and performance monitoring purposes.  

While Krause’s research reveals code from companies (including TikTok and Facebook’s parent company Meta), there is no concrete evidence that companies are actually using it for the purpose of collecting data and sharing it with third parties. Therefore, Krause launched a tool that would allow users to check for themselves whether the browser they are using injects any extra code that monitors their actions.

So, if you want to use it to do this check, open the application you want to analyze and send the InAppBrowser.com link to a friend in a direct message (or ask a friend to send it to you via DM). Then click on the link and the tool will give you a summary of what the application is potentially tracking. Note that it may be difficult to read the codes that appear there, as it uses various developer terms.

In Apple’s case, the Krause’s results weren’t different. In fact, within seven apps (including TikTok, Facebook Messenger, Instagram, Snapchat, Amazon and Robinhood), the only one that registered suspicious activity of this type was, TikTok and actually seemed to be monitoring more activity than the rest. But that wasn’t all because the analysis showed that Instagram and Facebook also monitor when people highlight text on websites.

Of course, Meta spokeswoman Alisha Swinteck also weighed in, claiming that such browsers were common throughout the entire business and arguing that these internal search engines protect users from being redirected to malicious sites. “We have carefully designed these experiences to respect users’ privacy choices, including how data can be used for ads,” Swinteck said.

Currently, Chinese parent company ByteDance is facing intense scrutiny over the limits of its surveillance measures and its possible ties to the Asian country’s government. In addition, in June, BuzzFeed News reported that access to U.S. user data from China was rampant and repetitive, so the company has made its best effort to return most of it back to North America, specifically to be stored by Oracle.

On the other hand, Krause’s tool suggested that Tiktok’s code could have so much control over user data as to track someone’s address, age, and political party. A theory that was immediately dismissed by the company, emphasizing that although their application has these functions, they never use them.

Nowadays, it is no secret that large companies such as Facebook and Google collect user data in order to design personalized advertising. However, neither Meta nor TikTok have specific sections in their privacy policies explaining these types of user monitoring practices.

Thus, for Jennifer King, privacy and data policy fellow at Stanford University’s Human-Centered Artificial Intelligence Institute, it seems like a clever but malicious move, as she considers that reading data before it is sent is going too far. 

In other matters, Apple did not comment when asked if it would strengthen measures against the use of internal browsers and for its part, Krause said he would like to see the industry move away from in-app browsers and instead use browsers like Safari or Chrome, which people often set as their default browsers on their phones. 

Finally, Meta and Tiktok have stated that users are always going to have the ability to open links in Safari or their default browser, but they’ve been spared the detail of saying that this only happens after the apps take the user through their own browsers. Sadly, just as there are users who understand the seriousness of the situation, many others are hardly aware of it, even more so if the applications are determined to hide the relevant functions.