TikTok's in-app browser can monitor your keystrokes, including passwords and credit cards, researcher says

Have you ever clicked open a link while scrolling through an app on a mobile?

New research has revealed some of the data popular apps can track and collect while using in-app browsers.

Key points:

  • In-app browsers increase security and privacy risks
  • A computer scientist says big tech undermines trust in e-commerce
  • TikTok denies it is storing user data but confirms the existence of code

Software engineer and security researcher Felix Krause has assessed what code is injected onto a website to gather user activity when it is opened through an app.

This includes any ads or links clicked through a creator's profile.

For example, any link clicked through TikTok will open within the app using the platform's in-app browser rather than a default browser like Chrome or Safari.

The Java Script code embedded by TikTok allows the company to monitor all keystrokes — the equivalent of a keylogger — as well as every tap on the screen, and text inputs including passwords and credit card information.

"Installing a keylogger is obviously a huge thing… according to TikTok it's disabled at the moment," Mr Krause said.

"The problem is they do have the infrastructure and the systems in place to be able to track all these keystrokes… that on its own is a huge problem.

"The fact that they have this system already is a huge risk for every user."

The Vienna-based researcher is the founder of Fastlane, a testing platform for Android and iOS apps, acquired by Google five years ago.

He has been looking at the risks of in-app browsers for several years, but the increased use by big tech companies spurred him to look at the code behind each platform.

On Thursday he released a report on his findings after creating a security tool, InAppBrowser.com, for anyone to see what apps can track when using their in-app browsers.

It can recognise what the apps like TikTok, Instagram and Meta can track but it is unable to tell us what data each app chooses to collect, transfer or use.

 

TikTok injects tracking code that can monitor all keystrokes.(Felix Krause)

Although InApBrowser.com finds commands embedded in the code, the full extent of what apps implement on third-party websites is unknown, partially due to an iOS 14.3 update in December 2020, allowing some JavaScript commands to be undetectable.

The JavaScript security risk does not end with TikTok.

Another app Mr Krause investigated was Instagram, which was found to have the ability to observe phone taps including clicks on images.

 Leading computer scientist and Systems Approach co-founder Bruce Davie said app behaviour of this nature undermined user confidence in e-commerce.

"It's alarming to see how much information can be tracked that people aren't aware of–including potentially any user interaction with a website," Mr Davie said.

"The issue appears widespread, with tracking code observed in the apps of Facebook and Instagram as well as TikTok."

TikTok confirmed the existence of the code and claimed they were not collecting user data using the injected code.

"We do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring," a TikTok spokesperson said.

There is no way to verify whether the data is being collected or used.

According to a spokesperson, the gathering of personal data would go against TikTok's privacy policy, which does allow for browsing history in the in-app browser to be collected to improve user experience.

Mr Krause said apps in their infancy used this data to find errors and debug before scaling and later delete the functionality — something TikTok had failed to do.

"Those [data tracking abilities] should not end up in the final version of the app that has been used by millions of people," Mr Krause said.

"That's not something that happens by mistake… especially at a company this size."

What is their motivation?
The injection of the coding does not mean user data is being stored or used in a malicious way, but the deliberate action to include it is of concern.

"While we can only guess at the motives of the companies involved, we know they use tracking to drive ad-targeting and to increase user engagement on their platforms," Mr Davie said.

How can I protect myself while browsing in-app links?
The majority of in-app browsers have the ability to open the link into a preferred browser website off platform or achieve the same by copying and pasting.

TikTok does not have a button installed to open websites into a default browser.

According to a TikTok spokesperson if users were directed outside the app when clicking links it would create a clunky and diminished experience.

Should you have TikTok or Facebook downloaded onto your phone?
Monash University professor and artificial intelligence and technology law specialist Chris Marsden said "we should all be concerned about cyber security", but the indoctrination of smartphones left everyday users at a loss.

"Especially today, any iPhone user should be more concerned about downloading an Apple iOS update to patch a critical security exploit," Mr Marsden said.

"The commercial use of smartphone user data is currently so unregulated that the real question is, should you have a smartphone?

"We as individuals cannot understand the security and privacy risks.

"ACCC does now conduct six monthly reviews of the competition and consumer issues for the treasurer on these apps."

Is TikTok a greater risk to users than other apps?
TikTok presents a unique concern as the only app, of the seven analysed, with the ability to track all keyboard inputs without allowing users to open links in a default browser such as Safari or Chrome.

 

The seven apps assed for user data tracking included TikTok, Instagram, Facebook Messenger, Facebook, Amazon, Snapchat and Robinhood.(Felix Krause)

Should the government protect our digital privacy from tech companies?

"The default global responsibility to check that apps are obeying any regulation falls to Google and Apple," Mr Marsden said.

"Police can interact with and request those giant companies take down apps from the store."

In 2019 Apple removed an app that helped protesters in Hong Kong track riot police citing it violated rules because it was used to ambush law enforcement officers.

Can we fix TikTok?

"To me, the big surprise is that when I browse to a website from within the app, I'm getting a very different level of tracking than I would get had I browsed there via my normal browser [such as Safari]," said Mr Davie.

An easy solution to the security risks would be to allow TikTok users to open in-app links on their preferred browser.

This allows for individual privacy settings across Safari and Chrome to be implemented such as ad blocker and password manager extensions.

 

Story first published on ABC News

Link to original story

Author: 
Grace McKinnon, ABC News