A security researcher has discovered TikTok's in-app browser monitors all keyboard input and screen taps every time it's used to open a link.
As MacRumors reports, the discovery was made by researcher Felix Krause who summarized the functionality as being "the equivalent of installing a keylogger." Any external link opened from within the iOS app will trigger TikTok to monitor all keyboard entries and taps on the screen as you browse.
In response to this revelation, a TikTok spokesperson denied the claims being made:
"The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring."
TikTok also points to a CNN interview from July with Michael Beckerman, VP, Head of Public Policy, Americas at TikTok denying keylogging is used by TikTok.
Krause readily admits that "just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious." In other words, only TikTok knows what data is being collected, transferred, and used, and based on what TikTok is saying, it's limited to ensuring the app is running bug-free.
If this all sounds very familiar, it's because Krause recently discovered that the Facebook and Instagram apps are doing the same thing. In response, Krause created InAppBrowser.com which can be launched from within an app you want to analyze. It produces a report explaining which JavaScript commands get executed. It's open source and Krause hopes the community will continue to improve it over time.
Interestingly, of all the apps analyzed by Krause so far, TikTok is the only one that doesn't have an option to open links using a device's default browser. However, according to a TikTok spokesperson, to use a browser outside the app would be a "suboptimal / clunky experience" and wouldn't allow the company to ensure a secure user experience.
Editors' Note: This story was upated with comment from TikTok.