TikTok’s in-app browser includes code that can monitor your keystrokes, researcher says

When TikTok users access a website through a link on the app, TikTok inserts a code that can monitor much of their activity on those external websites, including their keystrokes and everything they type on the page, according to new research shared with Forbes. Tracking would allow TikTok to capture a user’s credit card information or password.

TikTok has the ability to monitor this activity due to the changes it makes to websites using the company’s in-app browser, which is part of the app itself. When people click on TikTok ads or visit links on a creator’s profile, the app doesn’t open the page with normal browsers like Safari or Chrome. Instead, it defaults to an in-app browser designed by TikTok that can rewrite parts of web pages.

TikTok can track this activity by injecting lines of the JavaScript programming language into visited websites in the app, creating new commands that alert TikTok to what people are doing on those websites.

“It was an active choice the company made,” said Felix Krause, a Vienna-based software researcher, who published a report on its findings on Thursday. “This is a non-trivial engineering task. This does not happen by mistake or by chance. Krause is the founder of Fastlane, an application testing and deployment service, which Google acquired five years ago.

Tiktok has strongly pushed back against the idea that it tracks users in its in-app browser. The company confirmed that these features exist in code, but said TikTok does not use them.

“Like other platforms, we use an in-app browser to provide the best user experience, but the JavaScript code in question is only used for debugging, troubleshooting, and performance monitoring of that experience. , like checking how fast a page is loading or if it is crashing,” spokeswoman Maureen Shanahan said in a statement.

The company said the JavaScript code is part of a third-party software development kit, or SDK, a set of tools used to build or maintain apps. The SDK includes features that the app does not use, the company said. TikTok did not respond to questions about the SDK or which third party makes it.

While Krause’s research reveals that code companies, including TikTok and Facebook’s parent company Meta, inject websites from their built-in browsers, the research does not show that these companies actually use this code to collect data, send it to their servers or share it with third parties. The tool also does not reveal whether any of the activities are tied to a user’s identity or profile. While Krause was able to identify a few specific examples of what apps can track (like TikTok’s ability to monitor keystrokes), he said his list isn’t exhaustive and companies could monitor more.


The new research follows a report last week by Krause on in-app browsers, which specifically focused on apps owned by Meta Facebook, Instagram, and Facebook Messenger. WhatsApp, which the company also owns, seems to be clear as it doesn’t use an in-app browser.

On Thursday, Krause also released a tool that lets users check whether the browser they’re using is injecting new code into websites and what activity the company might be monitoring. To use the tool to verify Instagram’s browser, for example, send the InAppBrowser.com link to a friend in a direct message (or ask a friend to send you the link). If you click on the link in the DM, the tool will give you an overview of what the app is potentially tracking – although the tool uses several developer terms and can be difficult for non-coders to decipher.

For his new research, Krause tested seven iPhone apps that use built-in browsers: TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon and Robinhood. (He didn’t test versions for Android, Google’s mobile operating system.)

Of the seven apps Krause tested, TikTok was the only one that seemed to monitor keystrokes, he said, and seemed to monitor more activity than the others. Like TikTok, Instagram and Facebook both track every click on a website. Both of these apps also monitor when people highlight text on websites.

This is a non-trivial engineering task. This does not happen by mistake or by chance.

Felix Krause

Meta didn’t answer specific questions related to tracking, but said in-app browsers are “common in the industry.” Spokeswoman Alisha Swinteck said the company’s browsers enable certain features, such as allowing autofill to fill in correctly and preventing people from being redirected to malicious sites. (However, browsers including Safari and Chrome also have these features.)

“Adding any of these types of features requires additional code,” Swinteck said in a statement. “We’ve carefully designed these experiences to respect users’ privacy choices, including how data may be used for ads.”

Meta also said that the script names presented in the tool can be misleading as they are technical Javascript terms that people can misunderstand. For example, “message” in this context refers to code components communicating with each other, not personal text messages.

Snapchat seemed to be the least data intensive. Its in-app browser didn’t seem to inject new code into web pages. However, apps have the ability to hide their JavaScript activity on websites (like Krause’s tool) due to an operating system update made by Apple in 2020. So it’s possible that some apps execute commands without detection. Snapchat did not respond to a request for comment on the activity, if any, monitored on its in-app browser.

The in-app browser isn’t as prevalent on TikTok as it is on Instagram. TikTok doesn’t allow users to click on links in DMs, so the in-app browser typically pops up when users click on ads or links on a creator’s or brand’s profile .


The browser tracking research comes as TikTok, owned by Chinese parent company ByteDance, faces scrutiny over the limits of its potential surveillance and questions about its ties to the Chinese government. In June, BuzzFeed News reported that US user data had been repeatedly accessed from China. The company also worked to move certain US user information to the US, to be stored in an Oracle-managed data center, in an effort known internally as Project. Texas.

But the potential tracking could also compromise election-related confidentiality. TikTok Wednesday announcement its election integrity efforts ahead of the U.S. midterm elections. The initiative includes a new Election Hub, which connects people to authoritative information from trusted sources, including the National Association of Secretaries of State and Ballotpedia.

TikTok explicitly promises privacy as part of the initiative. “For any action that requires a user to share information, such as registering to vote, users will be directed away from TikTok to the relevant state or nonprofit website to complete this process,” the company said in a blog post “TikTok will not have access to any of this off-platform data or activity.”

TikTok will likely use its in-app browser to open these websites. Krause’s tool suggests that TikTok could have access to this information, potentially allowing the company to track someone’s address, age and political party. TikTok also pushed back on this scenario, again emphasizing that while these tracking features exist in code, the company does not use them.

In recent years, the business model behind big tech – in which companies like Facebook and Google collect user data to support their targeted advertising machines – has become widely known, so some people may not be surprised by the tracking. in built-in browsers. . However, neither Meta nor TikTok have specific sections in their in-browser privacy policies that disclose these monitoring practices to users.

Some privacy experts also balk at the kind of keystroke monitoring that TikTok appears to be capable of. “It’s very sneaky,” said Jennifer King, chief privacy and data policy officer at Stanford University’s Institute for Human-Centered Artificial Intelligence. “The assumption that your data is pre-read before you even submit it, I think that crosses a line.”

Krause said he’d like to see the industry move away from in-app browsers, instead using browsers like Safari or Chrome, which people have typically set as the default browsers on their phones. Apple did not respond to a request for comment asking whether the company would crack down on in-app browsers, forcing apps to use a device’s default browser instead.

Both TikTok and Meta give you the option to open links in Safari or your phone’s default browser, but only after the apps first direct you to their respective built-in browsers. The default option also sits behind a menu screen in TikTok and Instagram – already too out of the way for many users who don’t even know the option exists.