TikTok’s in-app browser found to be recording your keystrokes

Felix Krause, a software researcher and founder of Fastlane, recently made reports about popular social app TikTok. Krause claims that JavaScript code embedded into the in-app browser is currently being used to track keystrokes, screen taps, copied text, etc. Krause deems this to be a major security concern. TikTok claims that this code is strictly for debugging purposes, and is in no way used to track or log a user’s information while they are using the app.

TikTok is widely regarded as one of the most popular mobile apps today, especially among the young. With 2.6 billion downloads since its launch in 2016, and TikTok’s claims of up to one billion active global users, that statement certainly holds its weight.

TikTok has had its fair share of security concerns in the past, with even the commissioner of the FCC, Brendan Carr, calling on Apple and Google to remove it from their respective app stores. These concerns were recently made more prominent with a report released by Felix Krause, a well-known software researcher and founder of Fastlane.

Krause states that TikTok has JavaScript code embedded into the in-app browser, used when users tap on links while scrolling through the app. He notes that the code being embedded into the browser is not the concern, as nearly all apps with integrated browsers have this form of code, including Facebook, Instagram, and Snapchat. Where the concern lies is what the JavaScript code is intending to do while the user interacts with the browser.

Krause reveals that the code is tracking the location of screen taps, what text a user copies while in the browser. But most importantly, the code tracks every single keystroke someone makes during their time inside the browser. The first two points are not as concerning, Krause notes. Multiple apps also track screen taps and copied text. However, TikTok was the only app during his testing that logged keystrokes in any way. This is undoubtedly a major security concern for users, Krause insists.

TikTok was quick to attempt to disprove Krause’s report, insisting the JavaScript code containing keylogging, screen tap data, and logging copied links from users is used strictly for debugging.

The company further points out that the code was included in a “third-party software development kit,” also known as an SDK, and that the security concerns within the code are not being used or monitored by TikTok. However, when questioned regarding this, TikTok did not answer questions regarding the SDK or who specifically made it.

The rise of TikTok has brought with it monumental controversy. Since its early days, there’s been concerns about TikTok’s parent company being closely linked to the Chinese government. The letter from the FCC commissioner claiming that the app is used to essentially provide surveillance and extract data from the user was just the last of many calls to stop using the app.

Krause’s findings simply add another reason to stop using TikTok. But will users and content creators care? The security concerns may far exceed the entertainment value that TikTok provides to some, but last we checked TikTok’s ad revenue was predicted to hit $11 billion, more than Twitter and Snapchat combined.