TikTok's in-app browser logs keystrokes, raising new privacy concerns
posted Friday Aug 19, 2022 by Scott Ertz
Social media is a gamble, no matter what you use. For example, Facebook has famously given access to far too much information to companies with API access. Twitter made private information like email addresses and phone numbers accessible to advertisers. TikTok has been in the spotlight for its privacy violations, often related to its owner's relationship with the Chinese government. This week, we have new information related to privacy, stemming from how the company deals with its in-app web browser.
Why does TikTok have an in-app browser?
The answer to this seemingly simple question is more complex than it might seem. First, the browser is used to provide some of the app's web-based experiences. One that was recently brought to light is their new gaming ambitions. These new in-app games will be powered by HTML5, which means that they will run in a private browser.
But, TikTok is not the only social media app to house a browser inside. These browsers, including in Facebook, Instagram, Twitter, and TikTok, are used to keep external experiences, such as links within posts to websites other than the social network in question, as part of the internal experience. This is also used to keep ad links within the social media experience. You'll be taken to the advertiser's website, but it will all still live within the social media app, rather than launching your default browser outside.
What's the problem with TikTok's browser?
In theory, this experience control of having a browser live within is not an issue. The companies want to control the experience, and to track your progress across those experiences to verify the success of advertisements. However, by having this browser in the app, you are required to give a lot of trust to the app platform.
With TikTok, that trust appears to be misplaced. According to a report from Felix Krause, a software researcher based in Vienna, TikTok uses JavaScript injection to track every pixel and every interaction on that website. This includes your taps on the site, but more importantly, your keystrokes.
Keyloggers are an old concept that have never faded from popularity because of their simplicity and strong capability to return sensitive data. Hackers have installed keyloggers on millions of computers over the years in hopes of uncovering data, such as email addresses, passwords, phone numbers, credit card numbers, social security numbers, and more.
What privacy violation does TikTok's browser introduce?
Having a keylogger built into a social networking app is a scary concept to begin with. Opening an ad can lead to signing up for a service, which would include a password. It could also lead to a store where you might enter your name, address, phone number, and credit card info to make a purchase. Giving that info to someone else is never a great idea, but TikTok has its own special problems.
In this case, TikTok's owners, ByteDance, have very strong ties to the Chinese government and the Chinese Comunist Party. The CCP is nothing if not a data collection and hoarding organization. They collect browsing data on their own people, and prevent them from accessing a ton of data, particularly about the things the government does. By reaching a hand into other countries, they can collect a lot of information they previously had no access to.
How to protect yourself
Generally, you should not use any in-app browser for anything more than casual browsing. Clicking an article on Facebook and opening the piece in the browser is fine. However, you should not log in to another platform, sign up for something, or make purchases outside of a safe environment. There are plenty of safe mobile browsers, so there is no need to use these dumbed down versions in other apps.
