TikTok's iOS In-App Browser Monitors All Keyboard Input and Screen Taps

pcmag.com:

A security researcher has discovered TikTok's in-app browser monitors all keyboard input and screen taps every time it's used to load open a link.

As MacRumors reports(Opens in a new window), the discovery was made by researcher Felix Krause(Opens in a new window) who summarized the functionality as being "the equivalent of installing a keylogger." Any external link opened from within the iOS app will trigger TikTok to monitor all keyboard entry and taps on the screen as you browser. So any passwords or credit card details entered are also seen by TikTok.

In response to this revelation, TikTok spokesperson Maureen Shanahan told Forbes(Opens in a new window), "Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes."

If this all sounds very familiar, it's because Krause recently discovered that the Facebook and Instagram apps are doing the same thing. In response, Krause created InAppBrowser.com(Opens in a new window) which can be launched from within an app you want to analyze. It produces a report explaining which JavaScript commands get executed. It's open source and Krause hopes the community will continue to improve it over time.

Interestingly, of all the apps analyzed by Krause so far, TikTok is the only one that doesn't have an option to open links using a device's default browser. He also readily admits that "Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious." In other words, only TikTok knows what data is being collected, transferred,