Quote:
TikTok's in-app browser can monitor your keystrokes, including passwords and credit cards, researcher says
Have you ever clicked open a link while scrolling through an app on a mobile?
New research has revealed some of the data popular apps can track and collect while using in-app browsers.
Software engineer and security researcher Felix Krause has assessed what code is injected onto a website to gather user activity when it is opened through an app.
This includes any ads or links clicked through a creator's profile.
For example, any link clicked through TikTok will open within the app using the platform's in-app browser rather than a default browser like Chrome or Safari.
What does an in-app browser look like?
Interactive story: What does an in app browser look like?
Read more
The Java Script code embedded by TikTok allows the company to monitor all keystrokes — the equivalent of a keylogger — as well as every tap on the screen, and text inputs including passwords and credit card information.
"Installing a keylogger is obviously a huge thing… according to TikTok it's disabled at the moment," Mr Krause said.
"The problem is they do have the infrastructure and the systems in place to be able to track all these keystrokes… that on its own is a huge problem.
"The fact that they have this system already is a huge risk for every user."
The Vienna-based researcher is the founder of Fastlane, a testing platform for Android and iOS apps, acquired by Google five years ago.
He has been looking at the risks of in-app browsers for several years, but the increased use by big tech companies spurred him to look at the code behind each platform.
On Thursday he released a report on his findings after creating a security tool, InAppBrowser.com, for anyone to see what apps can track when using their in-app browsers.
It can recognise what the apps like TikTok, Instagram and Meta can track but it is unable to tell us what data each app chooses to collect, transfer or use.
Although InApBrowser.com finds commands embedded in the code, the full extent of what apps implement on third-party websites is unknown, partially due to an iOS 14.3 update in December 2020, allowing some JavaScript commands to be undetectable.
The JavaScript security risk does not end with TikTok.
Another app Mr Krause investigated was Instagram, which was found to have the ability to observe phone taps including clicks on images.
Leading computer scientist and Systems Approach co-founder Bruce Davie said app behaviour of this nature undermined user confidence in e-commerce.
"It's alarming to see how much information can be tracked that people aren't aware of–including potentially any user interaction with a website," Mr Davie said.
"The issue appears widespread, with tracking code observed in the apps of Facebook and Instagram as well as TikTok."
TikTok confirmed the existence of the code and claimed they were not collecting user data using the injected code.
"We do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring," a TikTok spokesperson said.
There is no way to verify whether the data is being collected or used.
According to a spokesperson, the gathering of personal data would go against TikTok's privacy policy, which does allow for browsing history in the in-app browser to be collected to improve user experience.
Mr Krause said apps in their infancy used this data to find errors and debug before scaling and later delete the functionality — something TikTok had failed to do.
"Those [data tracking abilities] should not end up in the final version of the app that has been used by millions of people," Mr Krause said.
"That's not something that happens by mistake… especially at a company this size."
https://www.abc.net.au/news/2022-08-22/tiktok-in-app-browser-can-monitor-keystro...It should be a criminal offense for any app to log key strokes
Forum
Pages: 1
Social media logging keystrokes (Read 339 times)
