JAKARTA - TikTok has the ability to track every tap of your screen while you browse on its iOS app. This includes passwords typed and links clicked. This is reported in a study by software engineer, Felix Krause.
In-app browsing refers to any activity on a third-party site that is open in the app, not in an external window.
On Thursday, August 25, Krause released a report examining the JavaScript code that the social media platform injects into third-party sites that allow it to track user activity.
Krause's security tool InAppBrowser.com reveals the TikTok iOS app has the ability to monitor all keystrokes, text input, and screen taps, which can include sensitive personal data such as credit card information and passwords.
Krause notes, that "just because an app injects JavaScript into an external website, doesn't mean the app is doing anything malicious".
"There's no way for us to know the full details of what kind of data each browser in the app collects, or how, or if that data is transferred or used," Krause said.
Priyadarsi Nanda from the University of Technology's School of Electrical and Data Engineering said gathering information about keystrokes is very similar to the behavior of a keylogger, a type of malware.
“Any website you visit, it needs your input,” he said. "This is definitely a problem for any app you don't trust."
A TikTok spokesperson told Guardian Australia that the "report's conclusions about TikTok are untrue and misleading".
"Researchers specifically say the JavaScript code doesn't mean our app is doing anything malicious, and acknowledge that they have no way of knowing what kind of data the browser collects in our app," the spokesperson said.
"Contrary to the report's claims, we do not collect keystrokes or text input via this code, which is only used for debugging, troubleshooting and performance monitoring," the spokesperson added.
Besides TikTok, Krause also reviews iOS apps such as Instagram, Facebook, Facebook Messenger, Amazon, Snapchat, and Robinhood. TikTok was the only app found not to offer users the option to switch from in-app browsing to an external browser when accessing third-party sites.
“TikTok has the most extensive surveillance capabilities,” said Uri Gal, professor of business information systems at the University of Sydney.
“Many people who use the app are not aware of the scrutiny placed on them in it. TikTok's user base is much younger than Facebook and Instagram, which makes them much more vulnerable," said Gal.
Gal said TikTok "presents a different kind of risk" because of parent company ByteDance's alleged ties to the Chinese Communist Party.
"The surveillance function can be used to gather as much information as possible for industrial espionage purposes, and shape public opinion that is more in their interest," he said.
A report released by the Australian-US cybersecurity firm Internet 2.0 in July warned that the Chinese government could use the app to collect personal information, from in-app messages to device location.
ByteDance has denied ties to the Chinese government in the past and called the claims “misinformation” after various leaks suggested censoring material that was not aligned with China's foreign policy goals or cited the country's human rights record.
Krause's research found Instagram also has the ability to track screen taps, such as when a user clicks on an image.
“There are privacy and data integrity issues when you use an in-app browser, such as how Instagram and TikTok display all external websites within their apps,” Krause wrote in the report. Meta injects code into websites to track its users, the study said.
Gal says Instagram and Facebook practices are almost as widespread as TikTok.
“Their main motivation is almost purely commercial and financial, whereas with TikTok, there is an element of national security that I don't think exists directly with the others,” said Gal.
A spokesperson for Instagram's parent company Meta said "in-app web browsers are common across the industry".
"At Meta, we use in-app browsers to enable a safe, convenient and reliable experience, such as ensuring autofill is filled in correctly or preventing people from being redirected to malicious sites," the spokesperson said.
“Adding all these types of features requires additional code. We have carefully designed this experience to respect users' privacy choices, including how data can be used for advertising," said a Meta spokesperson.
In a statement from TikTok, which was included in the Krause report, spokeswoman Maureen Shanahan said: "Like other platforms, we use in-app browsers to provide an optimal user experience, such as checking how fast a page loads or if it crashes."
Nanda said the social media platform did not disclose how much personal data was left with the company or whether it was shared with third parties.
“They can pass that information on to third-party service providers, who play a critical role in launching sophisticated attacks of any kind,” Nanda said, pointing to hacks that steal data like credit card information, and malware attacks that freeze computers or lock files. "That's the real risk," he said.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
