You know how some popular apps don’t let you out of the app when you click on a link, opening said link in their own little in-app browser instead?
As it turns out, this enables these apps to monitor what you do. And among the most popular apps that do this, TikTok appears to be the worst offender.
In a blog post Thursday, security researcher Felix Krause announced the launch of InAppBrowser, a tool that lists all the JavaScript commands executed by an iOS app as its in-app browser renders a webpage.
To show what the tool can do, Krause analyzed some popular iOS apps that have an in-app browser, and the results are disturbing. Krause’s data shows that apps including TikTok, Instagram, Facebook Messenger, and Facebook, all modify webpages that are opened in the in-app browser. “This includes adding tracking code (like inputs, text selections, taps, etc.), injecting external JavaScript files, as well as creating new HTML elements,” Krause says. They also fetch website metadata, though Krause says this is “harmless.”
When Krause dug a little deeper into what these apps’ in-app browsers really do, he’d found that TikTok does some bad things, including monitoring all of users’ keyboard inputs and taps. So, if you open a web page inside of TikTok’s app, and enter your credit card details there, TikTok can access all of those details. TikTok is also the only app, out of all the apps Krause has looked into, that doesn’t even offer an option to open the link in the device’s default browser, forcing you to go through its own in-app browser.
In a statement to Forbes, a TikTok spokesperson confirmed the practice, but says that “the Javascript code in question is used only for debugging, troubleshooting, and performance monitoring of that experience.”
It’s all needed to provide “an optimal user experience,” she said.
Other apps Krause has looked at, like Instagram, also do some monitoring of their own, though none of them go as far as TikTok. And Snapchat and Robinhood are good examples, as they don’t modify webpages or fetch their metadata of the sites you open in their in-app browsers.
Krause warns that apps actually have a way of hiding their JavaScript activity from his InAppBrowser tool, meaning they could be doing more monitoring behind the scenes. For now, the only way to make sure they can’t do any monitoring is to open websites in the device’s default browser — if the app even offers this option.
Powered by WPeMatico