TikTok can track users’ keystrokes and activity when operating within the in-app browser, which may include monitoring their passwords, credit card information or other highly-sensitive details.

When users enter a website through a link in the app (ie. the in-app browsing), TikTok inserts a code which can monitor an individual’s activity on external websites. 

Felix Krause, a security researcher and developer previously employed by Google, analysed the code and found TikTok had the ability to collect the data. However, he said they may not be collecting the information yet.

“This was an active choice the company made,” Krause, who is based in Vienna, said. “This is a non-trivial engineering task. This does not happen by mistake or randomly.” 

Krause is the founder of Fastlane, a service for testing and deploying apps, which Google acquired five years ago.

His report explained that when users open the in-app browser, it subscribes to all keyboard inputs (which could include personal information) in addition to every tap on the screen. 

“We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third-party websites,” the report said.

Tiktok have deemed the report as “incorrect and misleading”, claiming the code is only used for “debugging, troubleshooting and performance monitoring.”

Krause released research earlier this month into Instagram’s in-app browser, in which he discovered the app injected code which allowed it to monitor all user interaction. This included “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers”.

But in his analysis of about 20 apps, Krause found TikTok was the only one that did not permit users to use their phone’s default browser when opening a link from the app.

Snapchat seemed to be the least hungry for data, with its in-app browser not injecting any new code into external web pages.

But Krause noted apps have the ability to hide their JavaScript activity due to an operating system update Apple made in 2020. 

Therefore, it is possible that some apps and sites are running invasive code commands undetected.

Google is also facing data farming and transparency questions, since a video of sites sending information to the search engine was published online late last week.

Ellie DudleyLegal Affairs Correspondent

Ellie Dudley is the legal affairs correspondent at The Australian covering courts, crime, and changes to the legal industry. She was previously a reporter on the NSW desk and, before that, one of the newspaper's cadets.

@EllieDudley_

More related stories

News

Meghan Markle’s favourite face gym is opening in Australia, Greta Thunberg publishes Andrew Tate’s contact details

All the news that's fit to mint.

Read more

News

Emily Ratajkowski joins the competitive world of online dating, Nick Kyrgios quits at the last minute

All the news that's fit to mint.

Read more