TikTok’s in-app iPhone browser sees everything you type


If you have TikTok installed on your phone, you may want to think twice before using the in-app browser. Security researcher Felix Krause recently discovered that the in-app browser in TikTok’s iOS app injects JavaScript code into every website users visit. Therefore, the app can monitor every keyboard entry and every tap on the screen.

Can the TikTok app see everything you type?

As Krause notes, an app injecting JavaScript into a website isn’t inherently malicious. Even if we know what an app is doing, we don’t know how the company uses the data.

For example, in the case of the TikTok in-app browser, Krause says the code “behaves like a keylogger.” That’s obviously incredibly concerning. But the company claims that it does not use the code in question to track everything you type or tap.

TikTok spokesperson Maureen Shanahan shared the following statement with Forbes:

Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes.

Even if TikTok is not currently collecting every keystroke, the company could change its mind in the future. At the very least, it’s clearly worth thinking twice before typing a password or a credit card number into a third-party website on TikTok’s in-app browser.

How to avoid in-app browsers

In order to avoid any potential security pitfalls, Krause suggests switching to your device’s default browser whenever possible. In-app browsers usually give you a choice to switch to Safari or Chrome. There might even be a button at the bottom of the screen.

If not, you might have to go to the trouble of copying and pasting a URL from the in-app browser. TikTok is one app that doesn’t have a button to open a link in your device’s default browser. Your best bet might be to just search for the website you want to visit in your default browser rather than navigating through TikTok’s in-app browser.

If you want to know more about Krause’s research on in-app browsers, visit his website. You can also use his tool which checks for JavaScript injections by going to InAppBrowser.com from any in-app browser to see a detailed report.





Source link

Comments are closed.