TikTok’s custom in-app browser on iOS reportedly injects JavaScript code into external websites that allows TikTok to monitor “all keyboard inputs and presses” as a user interacts with a given website, according to security researcher Felix Krause, but TikTok has reportedly denied , that the code is used for malicious reasons.
tiktok logo
Krause said that TikTok’s in-app browser “subscribes” to all keyboard inputs as a user interacts with an external website, including all sensitive details like passwords and credit card information, along with each tap on the screen.
“From a technical perspective, this is equivalent to installing a keylogger on third-party websites,” Krause wrote, regarding the JavaScript code that TikTok injects. However, the researcher added that “just because an app injects JavaScript into external websites does not mean the app is doing anything malicious.”
In a statement shared with Forbesa TikTok spokesperson acknowledged the JavaScript code in question, but said it’s only used for troubleshooting, debugging and performance monitoring to ensure an “optimal user experience.”
“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is only used for troubleshooting, troubleshooting and performance monitoring of that experience – like checking how fast a page loads or if it crashes “, according to the statement Forbes.
Krause said users who want to protect themselves against any potential malicious use of JavaScript code in in-app browsers should switch to viewing a given link in the platform’s default browser if possible, such as Safari on iPhone and iPad .
“When you open a link from an app, see if the app offers a way to open the currently displayed website in your default browser,” Krause wrote. “During this analysis, every app besides TikTok offered a way to do this.”
Facebook and Instagram are two other apps that insert JavaScript code into external websites loaded in their in-app browsers, allowing the apps to track user activity, according to Krause. In a tweeta spokesperson for Facebook and Instagram’s parent company Meta said the company “intentionally developed this code to respect people’s choices about App Tracking Transparency (ATT) on our platforms.”
Krause said he created a simple tool that allows anyone to check whether a browser in the app is injecting JavaScript code when rendering a website. The researcher said users simply need to open an app they want to analyze, share the InAppBrowser.com address somewhere inside the app (such as in a direct message to another person), tap the link inside the app to open it inside -app browser and read the details in the displayed report.