Security researcher and software engineer Felix Krause has revealed startling details about popular applications and explained how these apps track and collect user data through in-app browsers.

In his research, Krause examined the codes injected into a website to monitor user activity, including the links clicked or ads checked when the site is opened through an app.

About Felix Krause

The Vienna-based Krause is the founder of Fastlane- an app-testing company acquired by Google in 2017. The researcher is known for his research work highlighting privacy flaws in smartphone devices.

For instance, in October 2017, Krause revealed that any rogue app on iPhone could use the device’s camera to spy on the user secretly by abusing the permission by default and using both front and rear cameras for malicious purposes.

The same year, the researcher revealed how cybercriminals could use iPhone’s pop-up dialog boxes to carry out phishing attacks so that unsuspecting users could be tricked into providing their Apple ID passwords. 

Research Analysis

To validate his findings, Krause assessed several different apps, including TikTok. When he clicked a link in the TikTok app, it opened via the platform’s in-app browser instead of the default one. This indicated that TikTok’s in-app browser could monitor user activity on the external sites user access via TikTok.

What happens is that the app inserts a code into the site to modify its functionality, allowing it to monitor crucial user activities such as keystrokes or capture persona; data such as passwords or credit card numbers.

TikTok's In-App Browser Can Monitor Your Activity on External Websites
Credit: Felix Krause

Speaking with Forbes, Krause stated that this seems to be an “active choice” of the company. “This is a non-trivial engineering task. This does not happen by mistake or randomly,” Krause added.

Overall, Krause examined seven iPhone apps using in-app browsers, including Facebook, Instagram, Facebook Messenger, Snapchat, Robinhood, and Amazon, apart from TikTok. He identified that TikTok was the only app to monitor keystrokes, whereas Instagram could monitor phone taps and images the user clicks on.

However, TikTok claims this feature is disabled, and the in-app browser cannot log keystrokes. But this system’s presence is a red flag as it can pose a huge risk for users and impact their confidence in e-commerce.

TikTok's In-App Browser Can Monitor Your Activity on External Websites
Credit: Felix Krause

TikTok’s Response

TikTok is yet to respond to these findings. The company’s representative, Maureen Shanahan, admitted that these features are present in the app’s code, but TikTok never used them to monitor user activities.

Shanahan also stated that they use the in-app browser to enhance user experience, and the JavaScript code is used for “debugging troubleshooting, and performance monitoring of that experience.”

The rep claims that the in-app browser is there to check how fast a page loads and if it crashes or not.

Furthermore, the company stated that the code is part of a third-party SDK (software development kit) used to maintain/build apps. However, TikTok noted that they don’t use many of this SDK’s features.

This is not the first time when TikTok has made headlines over privacy concerns. In August 2020, Wall Street Journal accused the Chinese social media giant of collecting MAC addresses and unique identifiers of its users on Android devices and sending them to Byte Dance, its parent company.

  1. US Military Bans TikTok over privacy concerns
  2. TikTok vulnerability allowed hackers to send SMS with malware
  3. New smishing scam spreads fake TikTok App loaded with malware
  4. TikTok vulnerability allowed hackers to access users’ phone numbers
  5. TikTokers promoted adware apps; earned half a million dollars in profit