What TikTok does is 'the equivalent of installing a keylogger,' according to security researcher Felix Krause.
I’ve been working at PCMag since November 2016, covering all areas of technology and video game news. Before that I spent nearly 15 years working at Geek.com as a writer and editor. I also spent the first six years after leaving university as a professional game designer working with Disney, Games Workshop, 20th Century Fox, and Vivendi.
A security researcher has discovered TikTok’s in-app browser monitors all keyboard input and screen taps every time it’s used to open a link.
As MacRumors reports(Opens in a new window), the discovery was made by researcher Felix Krause(Opens in a new window) who summarized the functionality as being “the equivalent of installing a keylogger.” Any external link opened from within the iOS app will trigger TikTok to monitor all keyboard entries and taps on the screen as you browse.
In response to this revelation, a TikTok spokesperson denied the claims being made:
“The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”
TikTok also points to a CNN interview(Opens in a new window) from July with Michael Beckerman, VP, Head of Public Policy, Americas at TikTok denying keylogging is used by TikTok.
Krause readily admits that “just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious.” In other words, only TikTok knows what data is being collected, transferred, and used, and based on what TikTok is saying, it’s limited to ensuring the app is running bug-free.
If this all sounds very familiar, it’s because Krause recently discovered that the Facebook and Instagram apps are doing the same thing. In response, Krause created InAppBrowser.com(Opens in a new window) which can be launched from within an app you want to analyze. It produces a report explaining which JavaScript commands get executed. It’s open source and Krause hopes the community will continue to improve it over time.
Interestingly, of all the apps analyzed by Krause so far, TikTok is the only one that doesn’t have an option to open links using a device’s default browser. However, according to a TikTok spokesperson, to use a browser outside the app would be a “suboptimal / clunky experience” and wouldn’t allow the company to ensure a secure user experience.
Editors’ Note: This story was upated with comment from TikTok.
Sign up for our Weekly Apple Brief for the latest news, reviews, tips, and more delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Your subscription has been confirmed. Keep an eye on your inbox!
Advertisement
I’ve been working at PCMag since November 2016, covering all areas of technology and video game news. Before that I spent nearly 15 years working at Geek.com as a writer and editor. I also spent the first six years after leaving university as a professional game designer working with Disney, Games Workshop, 20th Century Fox, and Vivendi.
I hold two degrees: a Bachelor’s degree in Computer Science and a Master’s degree in Games Development. My first book, Make Your Own Pixel Art, is available from all good book shops.
Read Matthew’s full bio
Advertisement
PCMag.com is a leading authority on technology, delivering lab-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.
PCMag supports Group Black and its mission to increase greater diversity in media voices and media ownerships.
© 1996-2023 Ziff Davis, LLC., a Ziff Davis company. All Rights Reserved.
PCMag, PCMag.com and PC Magazine are among the federally registered trademarks of Ziff Davis and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of PCMag. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.