Another data study is out this week, and it warns TikTok users about a potential privacy nightmare: Recently, a security expert revealed that the in-app browser for TikTok injects JavaScript into external websites, potentially posing security problems. This is the social media giant’s most recent security blunder; it is still under investigation by US lawmakers following the disclosure of leaked audio that the video hosting service may have been exchanging US user data with China.

China-based corporation TikTok is the owner of the hugely popular app. It’s not surprise that many US-based news media sites leaped at the chance to report on security researcher Felix Krause’s findings (Opens in a new window) given the political tension between the two nations. According to testing on his website, Krause’s in-app browser injects a code that subscribes to all keyboard inputs and every tap on the screen when a user views a URL inside the TikTok iOS app. Krause asserts that from a technical standpoint, “We can’t know what TikTok uses the subscription for, but this is the equivalent as placing a keylogger on third-party websites.”

However, contrary to the accusations in the paper, we do not gather keystroke or text inputs using this code, which is only used for debugging, troubleshooting, and performance monitoring, a TikTok representative maintained.

YOU CAN BE TRAINED BY IN-APP BROWSERS The worries about the TikTok app’s browser go beyond China-panic paranoia. The precise information about the data that TikTok’s in-app browser gathers and how it uses that data is unknown. According to Krause’s research, the in-app browser for TikTok could theoretically be used to gather data like credit card details, passwords, Social Security numbers, and other extremely private personal information.

PCMag Logo

It’s Surprisingly Simple to Increase Online Security The good news is that TikTok claims not to be gathering that data. The bad news is that, even if ByteDance Ltd, the company that created TikTok, is to be believed, other well-known applications from other companies also have browsers that can track you across the internet. According to Krause’s research, in-app browsers are also available for Amazon, Facebook, Messenger, Instagram, Robinhood, and Snapchat.

In recent years, Apple and Google have taken steps to stop advertising from following mobile users online. The cookie replacement proposal for Google Chrome is currently in progress. Apple mandates that each app in its store explicitly ask users’ permission before tracking their data between apps or on unofficial websites.

A IN-APP BROWSER IS WHAT? By developing in-app browsers, app developers circumvent tracking barriers. Ads and links are automatically opened by in-app browsers in an app. Krause utilized the Instagram app as an example in his research. Every website you open in Instagram receives a tracking JavaScript snippet. Instagram is aware of your actions within the app, the photographs you have viewed, how long you have spent on a page, and other comparable data, according to its Privacy Policy (Opens in a new window) . In order to better tailor the advertisements you see on Instagram or other Meta properties, this data is utilized to paint a picture of you, the user.

Developers may choose to establish in-app browsers for a variety of totally legitimate, non-advertising-related purposes. Krause uses the example of an airline that integrated seat selection into its app using a predesigned web interface.

Additionally, some apps only employ in-app browsers for internal content like Terms of Service agreements or Privacy Policy statements. Users’ default browser is used to open external websites when they tap links to them.

WAYS TO RESIST USING IN-APP BROWSERS Avoiding entering sensitive information into an in-app browser is the most critical piece of advice given here. Read each app’s privacy statement carefully to learn what data the developer gathers and how it is used.

Close the app if you accidentally click on a link or an advertisement. The following advice should help you view the URL safely:

Use a secure browser instead. If you open a webpage using the in-app browser in most apps, you can choose to switch to Safari or your device’s default browser. The procedure varies depending on the program, but if you find yourself using an app while on a website, look for three dots or a Settings button. To access the Settings menu, tap that button. “Open in Browser” can be one of the choices. Simply copy and paste the URL from the browser’s address bar into the browser of your choice if you don’t see any Settings menu options.

Use a service’s online version. If you wish to limit the amount of private information you disclose on social media or cut back on your overall usage of social media, you may also stop using the app. Almost every social media site has a web version. With Facebook or Instagram on the web, you may peruse and remark to your heart’s content without being concerned about unintentionally disclosing personal information.

Do you enjoy what you’re reading? Receive a weekly additional story in your mailbox. Register to receive the SecurityWatch newsletter.


WHAT ELSE HAPPENED THIS WEEK IN THE SECURITY WORLD? Malware is served up via fake DDoS protection pages on WordPress sites. The software performs as a remote access trojan that can hijack a computer.

A record-breaking DDoS attack is thwarted by Google. Compared to the HTTPS DDoS attack that attacked Cloudflare in June, the current attack was 76% more potent.

Amazon’s Ring fixes a bug that would have allowed hackers to view recorded video. Android users of Ring were required to install a rogue software to exploit the bug. In May, the business covertly distributed a patch to fix the issue.

Can You Count on a VPN to Safeguard Your iPhone? Apple has let iOS to leak your data when using a VPN as far back as 2018 (iOS 12).

Hackers Are Exploiting 2 Flaws in iOS and macOS, thus it’s time to patch. One vulnerability allows malicious software to run on Apple’s WebKit engine, while the other elevates system rights.

APPRECIATE WHAT YOU JUST READ? For direct delivery of our top privacy and security stories to your inbox, subscribe to the SecurityWatch newsletter.

Advertisements, discounts, and affiliate links could be found in this newsletter. You agree to our Terms of Use and Privacy Policy by subscribing to a newsletter. You are always free to unsubscribe from the newsletters.


You may also like