TikTok’s in-app browser could be a keylogger, analysis warns



“Beware of in-app browsers” is a good rule of thumb for any privacy-conscious mobile app user – given an app’s ability to leverage its grip on the user’s attention. user to spy on what you are watching through the browser software which it also controls. But the behavior of TikTok’s in-app browser is raising eyebrows after independent privacy research by developer Felix Krause found that the social network’s iOS app was injecting code that could allow it to monitor all keyboard inputs and presses. Aka, keylogging.

“TikTok iOS subscribes to every keystroke (text entries) that occurs on third-party websites rendered in the TikTok app. This may include passwords, credit card information, and other sensitive user data “Warns Krause in a blog post detailing the results. “We can’t know what TikTok uses the subscription for, but from a technical point of view, this is the equivalent of installing a keylogger on third-party websites. [emphasis his]

After releasing a report last week — focusing on the potential of Meta’s Facebook and Instagram iOS apps to track users of their in-app browsers — Krause went on to launch a tool, called InAppBrowser.com, that lets app users mobiles to get details about the code. which is injected by in-app browsers by listing the JavaScript commands executed by the app when displaying the page. (NB: It warns that the tool does not necessarily list all executed JavaScript commands and it cannot detect what tracking an application might be doing using native code. So at best it offers some insight potentially sketchy activities.)

Krause used the tool to produce a brief benchmarking of a number of major apps that appear to place TikTok at the top of behaviors of concern to in-app browsers – due to the breadth of entries it was identified by subscribing to; and the fact that it does not offer users the option of using a default mobile browser (i.e. rather than its own in-app browser) to open web links. The latter means that there’s no way to avoid TikTok’s tracking code loading if you’re using its app to view links – the only option to avoid this privacy risk is to completely shut down its app and unplug it. ‘use a mobile browser to load the link directly (and if you can’t copy-paste it, you’ll need to be able to remember the URL to do so).

Krause is careful to point out that just because he discovered that TikTok subscribes to every keystroke a user makes on third-party sites viewed in their in-app browser doesn’t mean they’re doing “something.” of malicious” with the access – as he notes tThere is no way for outsiders to know all the details about the type of data collected or how or if it is transferred or used. But, clearly, the behavior itself raises questions and privacy risks for TikTok users.

We have contacted TikTok about the tracking code it injects into third-party sites and will update this report with any response.

Update: A company spokesperson has now sent this statement:

The conclusions of the report on TikTok are incorrect and misleading. The researcher specifically says that the JavaScript code does not mean our app is doing anything malicious, and admits that they have no way of knowing what kind of data our in-app browser is collecting. Contrary to the report’s claims, we do not collect typing or text input through this code, which is only used for debugging, troubleshooting, and performance monitoring.

TikTok argues that the “keypress” and “keydown” entries identified by Krause are common entries – saying it’s incorrect to make assumptions about their use based solely on the code highlighted by the search.

To back this up, the spokesperson pointed to the same non-TikTok code from GitHub which they claim would trigger the exact same response cited by the search as evidence of incorrect data collection, but is instead used to trigger a known command. under the name ‘StopListening’ which they claim would specifically prevent an application from capturing what is typed.

They further claimed that the JavaScript code highlighted by the search is used only for debugging, troubleshooting, and performance monitoring of the in-app browser to optimize the user experience, such as to verify the how fast a page loads or if it freezes. And said that the JavaScript in question is also part of an SDK that it uses – further saying that just because a certain code exists does not mean that the company uses it. The spokesperson also pointed to the distinction between permissions allowing apps to access certain categories of information on a user’s device (aka, “invoke”) as objecting to the collection or processing of data in accordance with App Store policies – suggesting many items associated with the categories of information in question may be analyzed locally on the device without the information itself ever being collected by TikTok.

TikTok’s spokesperson also told us that it doesn’t offer users the option to opt out of its in-app browser because doing so would require directing them outside of the app, which, according to them, would make the experience clunky and less fluid.

They also reiterated an earlier public denial from TikTok that it engages in keystroke logging (i.e. content capture), but suggested it could use keystroke information to detect unusual patterns or rhythms, such as whether each letter typed is exactly 1 keystroke per second, to help protect against fake logins, spammy comments, or other behavior that could threaten the integrity of its platform.

TikTok’s spokesperson went on to suggest that the level of data collection it engages in is akin to other apps that also collect information about what users are looking for in the app to be able to recommend a relevant content and personalize the service.

They confirmed that users who browse web content in its app are tracked for similar personalization, such as selecting relevant videos to display in their For You feed. TikTok may also collect user activity data elsewhere, on advertisers’ apps and websites, when those third-party companies choose to share that data with it, they further noted.

Meta-owned apps Instagram, Facebook and FB Messenger have also been found by Krause to modify third-party sites loaded through their in-app browsers – with “potentially dangerous” commands, as he puts it – and we’ve also approached the tech giant for a response to the findings.

Privacy and data protection are regulated in the European Union, by laws such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive, so any tracking of users in the region that does not have of an appropriate legal basis could lead to a regulatory sanction.

The two social media giants have already been the subject of various EU proceedings, investigations and enforcement actions relating to privacy, data and consumer protection in recent years – with a number of ongoing inquiries. and impending major decisions.

Update: The Irish Data Protection Commission, which is the lead data protection regulator for Meta and TikTok under the GDPR in Europe, told TechCrunch it had requested a meeting with Meta following reports from the last week on the JavaScript problem. He also said he would engage with TikTok on the issue.

Krause warns that public scrutiny of in-browser JavaScript tracking code injections on iOS is likely to encourage bad actors to update their software to make this code undetectable to outside researchers — by running their JavaScript code in the “context of a specified frame and content”. world” (aka WKContentWorld), provided by Apple since iOS 14.3; introduce the layout as an anti-fingerprinting measure and thus website operators cannot interfere with the JavaScript code of browser plugins (but the technology is obviously a double-edged sword in the context of tracking obfuscation) – arguing that it is therefore “more important than finding a solution to end the use of custom built-in browsers to display third-party content”.

Despite some concerning behaviors identified in mobile apps running on iOS, Apple’s platform is generally touted as more privacy-safe than Google’s mobile operating system alternative, Android – and it’s worth noting that apps that follow Apple’s recommendation to use Safari (or SFSafariViewController) for viewing external websites have been found by Krause to be “on the safe side” – including Gmail, Twitter, WhatsApp and many others – like he says it, Cupertino’s recommended method means there’s no way for apps to inject code into websites, including deploying the aforementioned isolated JavaScript system (which could otherwise be used to obfuscate the tracking code).

Source link


Comments are closed.