How TikTok browser track users’ keystrokes?

Another reason to ditch TikTok: It can record what you type

The video-sharing tool TikTok is one of the most popular apps, with just over a billion monthly users. The service has exploded among younger users over the last few months as the source for plenty of viral clips and life hacks.

Amid concerns over data privacy, latest research has revealed that the web browser used within China’s TikTok app can track every keystroke made by its users.

The research was done by Felix Krause, a privacy researcher and former Google engineer, “The New York Times” (NYT) reported.

iol.co.za : According to the researchers, collecting information on what people type on their phones while visiting outside websites, which can reveal credit card numbers and passwords, is often a feature of malware and other hacking tools.

While major technology companies might use such trackers as they test new software, it is not common for them to release a major commercial app with the feature, whether or not it is enabled, researchers said as quoted by The NYT.

“Based on Krause’s findings, the way TikTok’s custom in-app browser monitors keystrokes is problematic, as the user might enter their sensitive data such as login credentials on external websites,” said Jane Manchun Wong, an independent software engineer and security researcher who studies apps for new features.

But TikTok’s reputation is far from squeaky clean. The Chinese company behind the app sensation has (on multiple occasions) faced the wrath of U.S. lawmakers, accusing it of capturing sensitive user data.

Now, the app is using code to track users. Read on to see how it’s happening and a clever way to avoid being tracked.

komando.com : Many apps have built-in browsers, so it’s easier to navigate to other sites when you click a link. For example, when you tap on a product or service on Instagram or Facebook, it doesn’t open the link in your phone’s default browser. Instead, it uses the built-in browser of the respective apps.

TikTok has a similar feature, where links open in TikTok’s in-app browser. Having this ability is not out of the ordinary, as it lets you browse and get to the content quickly. But what raised some eyebrows with TikTok’s browser is that it tracks what you type.

How to Checks If TikTok Browsers Are Tracking You?

This Tool Checks If In-App Browsers Are Tracking You

In-app browsers are bunk compared to full-featured browsing apps, but they’re also a major privacy and security risk. Many apps sneak data trackers onto websites you visit through their in-app browser using a method called Javascript injection, which adds extra code to a page as it loads. These trackers can scoop up browsing history, login data, and even keyboard presses and text entry.

lifehacker.com.au : While not always used for nefarious means, Javascript injection is a potential security threat that, until now, was difficult to check for inside in-app browsers. Luckily, security researcher Flix Krause’s new ap(p)tly named tool, InAppBrowser, checks if an app’s built-in browser uses potentially dangerous Javascript injections to track your data.

While InAppBrowser only works in apps that have a built-in web browser tool, such as TikTok, Instagram, or Messenger, you can also use it on the desktop to check for Javascript injections from browser extensions.

If you’re suspicious of an app or browser extension, give InAppBrowser a try to see if it’s doing anything fishy. Here’s how:

On mobile [iOS/Android]: Open the app you want to test and load inappbrowser.com in the app’s built-in web browser. An easy way to do that is to send the link to yourself in a message, comment, or post. Alternatively, open a link to a website in the app (any web link works), then go to https://inappbrowser.com.
On desktop: To test websites and browser extensions on desktop, open your preferred browser and go to inappbrowser.com.
Once the site loads, you’ll see a message detailing any potentially sketchy Javascript behaviour InApBrowser intercepts (if any), plus explanations of what the code may be used for.

These readouts can help you spot possible malicious behaviour, but there are a few caveats to mention.

Most importantly, InAppBrowser only alerts you to the existence of Javascript injection and can’t tell if an app or browser extension is actually malicious. It even flags apps and browser extensions that use Javascript injection but don’t track you at all. That means private browsing extensions that block a website’s trackers, apps collecting browsing data for advertising or troubleshooting reasons (like TikTok), and malicious apps that outright spy on you will all trip the same warnings.

Even Krause warns against jumping to conclusions if an app uses Javascript injection.