TikTok’s in-app browser can track your keystrokes, says researcher

TikTok injects code into any website opened in the iOS app’s custom in-app browser that allows it to monitor the user’s activity on those sites, including whatever they tap on the page and even what they type, according to a new report issued Thursday.

“This was an active choice the company made,” Felix Krause, a software researcher based in Vienna and the report’s author, told Forbes.

“This is a non-trivial engineering task. This does not happen by mistake or randomly.”

Krause is the founder of Fastlane, a service for testing and deploying apps, which Google acquired five years ago. He published a report last week that showed Meta did something similar in the custom in-app browsers of their iOS Instagram and Facebook apps to bypass Apple’s anti-tracking protections.

In response to the feedback to the Meta report, Krause released a tool that allows anyone to check if the browser they are using injects any new code into websites and, if so, what it can track. To use the tool, a user just needs a friend to send them a link to InAppBrowser.com in a direct message and open it in an in-app browser.

Krause tested seven iOS apps for his new report: TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon and Robinhood.

Of the group, TikTok was the only one that appears able to monitor keystrokes. It, along with Meta’s Facebook and Instagram, can also track every tap on web pages it opens.

TikTok told Forbes that the reported tracking features exist but that it is not using them.

Krause acknowledged his research does not show companies are actually using the injected code to collect data, send it to their servers or share it with third parties, stating his goal is “to showcase that bad actors could get access to this data with this approach.”

The report comes amid increasing concerns that the data collected by TikTok parent Bytedance can be accessed by the Chinese Community Party. In June, Buzzfeed obtained recordings of internal meetings that indicate China-based employees of ByteDance have repeatedly accessed non-public data about U.S. TikTok users up until at least January 2022.

A recent poll found that 60% of Americans want the TikTok app removed from app stores.