Tick tock goes the clock. It seems that every day we find more examples of the ways some of the most popular social media apps are collecting data on users. Now TikTok itself seems to be wound up pretty tight about allegations they’re keylogging users using code found inside the in-app browser.
The security researcher Felix Krause wrote in a Thursday blog post that there are multiple apps that are modifying pages using JavaScript, but one very popular app in particular seems the most troubling. Krause wrote that code found deep in the bowels of TikTok has the capacity to monitor all keyboard and tapping inputs, otherwise known as keylogging.
TikTok does not give users the option to open links on their device’s default browser. The researcher said that on iOS devices, TikTok has the capacity to modify pages and use JavaScript code to fetch metadata, which is by itself not very concerning since it doesn’t do much to quantify user activity. However, using a tool he developed, Krause was able to spot additional JavaScript code that has the capacity to record every text input and click. So when you click a link inside the social app, the keylogging code has the capacity to record passwords or even credit card information. It can track what links you click on, or what messages you might send to friends, as long as you’re operating within the in-app browser.
Krause shows his homework, relaying exactly what code he found that relates to keylogging. Any “keypress” or “keydown” functions track key presses. “Unload” events refer to when you navigate from one page to another, which means the app knows when you’ve moved on.
TikTok has told reporters that, though the code is frontloaded in the app, they just “don’t use it” except to debug and troubleshoot. In a statement sent to Gizmodo, a TikTok spokesperson said: “The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”
Ari Lightman, a professor of digital media and marketing at Carnegie Mellon University, told Gizmodo in a phone interview that he doesn’t fully buy the claims TikTok is selling about its JavaScript code. While there are certainly security and user-experience components to why this code exists, social media companies make a good amount, if not the vast majority of their profits from advertising, and user data is a big part of that.
“One of the common factors is they don’t want you to go off the platform,” Lightman said. “Users often don’t find their way back, and [TikTok] can’t collect data when it wants to monetise the platform… this is how they monetise information — by collecting more of users needs, wants, and personality profiles.”
The company has said that the JavaScript code is part of a software development kit, AKA an SDK, and that they don’t use that code remotely. The SDK was built by a third party that includes the keylogging code, according to the company, which hasn’t been active in the company’s existing repertoire of user tracking capabilities.
They have even said that daring to direct users to browsers outside their app would just be a bad experience for users, which is of course a very condescending argument that forgets anybody who owns their own device can choose to download whatever browser they think works best for them.
Though Lightman was also sceptical about TikTok’s reasoning here. Companies like the ByteDance-owned TikTok are “very adept at developing machine learning models. These things [like the company’s SDK] get tested, analysed, and scrutinised very heavily,” which makes the idea that TikTok would just leave this code in there without using it “is a hard one to swallow.”
Krause did say that his research cannot tell whether TikTok or any other companies are actively using that JavaScript code to track users, but the fact that it exists in the first place puts extra onus on companies that have routinely shown they can’t be trusted with user data. The researcher had previously written about JavaScript code inside apps like Instagram and Facebook that could be used to track practically all user activity when using in-app web browsers using JavaScript code. He said the code can monitor all interactions, text selections and clicks, even when clicking on ads. In this latest update, the researcher also found that Instagram on iOS subscribes to every button press and link rendered inside the app. It even knows when you select a text field on a third-party website.
In a tweet statement last week, Meta spokesperson Andy Stone wrote that the researcher’s claims “misrepresent” how Meta’s in-app browsers work.
We do not add pixels to websites. The code in question allows us to respect people’s privacy choices by helping aggregate events (such as making a purchase online) from pixels already on websites, before those events are used for advertising or measurement purposes.
— Andy Stone (@andymstone) August 11, 2022
And as if all this wasn’t concerning enough, Krause wrote that these apps have the capacity to hide their JavaScript using already established iOS tools, namely a WKContentWorld code so that websites can’t interfere with JavaScript code. If any of these companies wanted to hide their activity from websites or the researcher’s tools, they could, and pretty easily at that.
“Tech companies that still use custom in-app browsers will very quickly update to use the new WKContentWorld isolated JavaScript system, so their code becomes undetectable to us,” Krause wrote in his blog post.
Apple did not immediately respond to Gizmodo’s request for comment whether they would change any of its iOS features to restrict apps from including keylogging script or otherwise stop apps from hiding the fact they were running such code.
TikTok has already taken massive amounts of heat from proponents of internet privacy and from lawmakers on both sides of the aisle (though, as you can expect, it’s for different reasons) after reports alleged TikTok staff were aware that U.S. data was being collected by Chinese government officials. A recent report from Gizmodo based on internal documents showed TikTok has been working overtime to downplay their new identity as the company that offers up user data to the giant data-collecting maw that is Beijing. Lawmakers on Capitol Hill could be on the verge of passing a massive data privacy law, but some are sceptical it will pass before deadlines close in.
“In the future we’re going to see privacy legislation and more auditing legislation to verify this,” Lightman said. “Within a verified platform, if they’re doing it for economic reasons, they have to stipulate that, if they’re doing it for user experience, that’s fine too. It’s being opaque with the rationality that gets people to say ‘wait a minute…’ You have to be open with what your plans are.”