The web browser built into the TikTok app can track every keystroke made by its users, according to new research that comes as the Chinese-owned video app faces concerns from US lawmakers over how it handles the information it collects.
Research by Felix Krause, a privacy researcher and former Google engineer, did not show how TikTok uses the feature, which is built into the app’s browser that appears when someone clicks on an external link.
But Krause said the fact is troubling because it shows that TikTok has built-in functionality to track users’ online habits, should it choose to do so.
Collecting information about what people type on their phones while visiting external websites, which can reveal credit card numbers and passwords, is often a feature of malware and other hacking tools.
While major tech companies can use these trackers while testing new software, it’s not common for them to release a large commercial app with the feature whether or not it’s enabled, the researchers said.
“Based on Krause’s findings, the way the TikTok app’s custom browser monitors keystrokes is problematic as the user can enter sensitive data such as login credentials on external websites,” said Jane Manchun Wong, Independent Software Engineer and security researcher who studies new features in applications.
She said the TikTok browser can “pull information from users’ external browsing sessions, which some consider excessive.”
In a statement, TikTok, owned by Chinese company ByteDance, said that Krause’s report is “incorrect and misleading” and that the feature is used for “debugging, troubleshooting and performance monitoring”.
“Contrary to the allegations in the report, we do not collect typing or text input via this code,” TikTok said.
Krause said he was unable to verify that typing was actively tracked and that information was being sent to TikTok.
The survey could raise questions for TikTok in the United States, whose authorities are examining whether the popular app could jeopardize national security by sharing information about American citizens with China.
While discussion in Washington over the app has subsided during the Biden administration, new concerns have emerged in recent months following revelations from BuzzFeed News and other news outlets about TikTok’s data practices and ties to its Chinese parent.
Applications sometimes use built-in browsers to prevent people from visiting malicious websites or to make online browsing easier by auto-completing text.
But while Facebook and Instagram can use built-in browsers to track data like what websites a person has visited, what they’ve highlighted and what buttons they’ve pressed on a website, TikTok goes even further, using code capable of tracking every character entered by the user. , said Krause.
A spokesperson for Meta, the parent company of Facebook and Instagram, declined to comment.
Krause said he performed the TikTok search only on Apple’s iOS operating system and noted that typing tracking occurred only in the app’s browser.
Like many apps, TikTok offers little chance for people to click away from its service. Instead of redirecting to mobile browsers like Safari or Chrome, an embedded browser appears when users click on advertisements or links embedded in other users’ profiles.
It is often at these times that people enter important information, such as credit card details or passwords.
In an interview with CNN in July, Michael Beckerman, a policy executive at TikTok, denied that the company records user typing, but acknowledged that it monitors its patterns, such as typing frequency, to guard against fraud.
Krause said he feared these tools would have “very similar architectures” and could be repurposed to track typing content.
“The problem is they have the infrastructure in place to do these things,” he said.
Translated by Luiz Roberto M. Gonçalves