TikTok’s In-App Browser Is Keylogging the User’s Input on iOS

Image: TikTok

A developer has discovered that TikTok’s in-app browser is keylogging to monitor all keyboard and tap inputs while being used in iOS. Felix Krause revealed that the browser is using Javascript code that allows it to subscribe to all keyboard inputs. This includes private information such as passwords and credit card inputs.

• TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data. (keypress and keydown). We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.
• TikTok iOS subscribes to every tap on any button, link, image or other component on websites rendered inside the TikTok app.
• TikTok iOS uses a JavaScript function to get details about the element the user clicked on, like an image (document.elementFromPoint)

Krause published a report last week detailing the risks of using in-app browsers with various mobile apps. He found that while some adhere to using Apple’s Safari browser, or at least give the option, TikTok’s in-app browser does not and is able to both modify a web page and fetch metadata. TikTok responded to Forbes with a statement and acknowledged the feature but said it is for an optimal user experience.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,” spokesperson Maureen Shanahan said in a statement.

Felix researched TikTok, Instagram, FB Messenger, Facebook (Meta), Snapchat, and Robinhood and while TikTok’s in-app browser is the only app that doesn’t offer an option to use the default browser it is not alone in other data-gathering behavior. He created the table below and the yes/none links go to screenshots of the apps and their script commands.

AppOption to open in the default browserModify pageFetch metadataJSUpdated
TikTok⛔️YesYes.js2022-08-18
InstagramYesYes.js2022-08-18
FB MessengerYesYes.js2022-08-18
FacebookYesYes.js2022-08-18
AmazonNoneYes.js2022-08-18
SnapchatNoneNone2022-08-18
RobinhoodNoneNone2022-08-18
Table: Felix Krause

Source: KrausFX (via TechCrunch)

Join the discussion for this post on our forums...

Peter Brosdahl
As a child of the 70’s I was part of the many who became enthralled by the video arcade invasion of the 1980’s. Saving money from various odd jobs I purchased my first computer from a friend of my dad, a used Atari 400, around 1982. Eventually it would end up being a lifelong passion of upgrading and modifying equipment that, of course, led into a career in IT support.

Recent News