A new independent investigation has revealed a number of invasive tracking capabilities in popular apps like TikTok, Instagram and FB Messenger.
In addition to potentially tracking sensitive information such as usernames, passwords and credit card details, the investigation uncovered the ability of numerous popular apps to access users’ scrolling behavior, screen taps and even keyboard inputs.
These findings came in a report published by security expert Felix Krause, the founder of the application automation platform Fastlane, whose research has generated significant media attention since its launch earlier this year. august
Krause initially reported that the iOS Instagram and Facebook apps are capable of “tracking every interaction with external websites, from every form input like passwords and addresses, to every tap.”
A week later, he followed up with a blog post that expanded on his findings by demonstrating the different potential for data tracking among popular apps, showing that TikTok had particularly alarming practices.
So how does it work?
If you use apps like TikTok or Instagram, you may have noticed that clicking on links in these apps doesn’t redirect to Safari, Chrome, or other third-party browsers, but instead loads the requested web page directly into the app .
For example, links clicked on TikTok, such as ads or websites listed on creator profiles, display web pages through the TikTok app directly instead of your phone’s default browser of choice.
This is a feature of “in-app browsers”, which are custom features provided to apps to access websites directly through their platform.
However, being custom allows for custom features, one of which Krause notes is the commonly used and highly problematic ability to inject variable JavaScript code into third-party websites accessed through these built-in browsers. the application
In the case of TikTok, this could allow the app to essentially act as a keylogger and monitor all keystrokes made by the user.
Keyloggers are often synonymous with cybercriminal activity and are particularly alarming in the context of web browsing, given the high likelihood of users performing online transactions and account logins.
“TikTok iOS subscribes to all keystrokes (text input) that occur on third-party websites represented within the TikTok app. This may include passwords, credit card information, and other sensitive user data” , Krause said.
“We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third-party websites,” he added.
Krause emphasized that his post did not claim that TikTok actively uses its users’ browsing data for analytical or other purposes, but nevertheless claimed proof of “a system in place that is able to track all your clicks” to external websites.
Is TikTok the worst offender?
Referring to the alleged keystroke tracking capabilities, Krause stated “according to TikTok, it’s disabled at this time.”
However, TikTok’s claims have not always been consistent with its actions.
When it appeared before a parliamentary committee recently, TikTok appeared not to mention China’s legal ability to access user data and instead provided evidence that assured Parliament that Australian user data in its platform were safe.
It was only a few months later, thanks to a whistleblower incident, that more of the truth about TikTok’s data-sharing practices came to light.
Also, TikTok seems to be particularly insistent on directing users to its in-app browser.
Instagram, for example, will default to your in-app browser, but it also offers a fairly accessible option via the three-dot button in the top right corner to use a default browser.
TikTok, however, does not show a similar option for out-of-app navigation, so users can either manually copy and paste a provided website link into the default browser or continue using the browser within the TikTok app. .
Bring the bans
Prior to this research, it was commonly accepted that in-app browsers existed for the simple purpose of holding the user’s attention within the host application.
However, these latest findings indicate that in addition to retaining users’ attention, in-app browsers may offer app providers a number of excessive tracking capabilities and incentives.
The ethics and necessity of these alleged data tracking capabilities are questionable to say the least, and to make matters worse, Krause suggests that the controversial JavaScript code used by app browsers will soon be harder to track.
Since the release of iOS 14.3, Apple supports the execution of JavaScript code in a specified “content world”, which can essentially separate the web environment of an app from the environment of individual web pages.
This allows apps to effectively hide JavaScript commands executed on third-party websites, and if implemented by apps like TikTok and Instagram, could make it much more difficult for researchers to detect tracking activity in the future.
Given the questionable nature of in-app browsers and the growing ability to hide their JavaScript activity, Krause stated, “I think Apple and Google should start banning in-app browsers and they will” .