TikTok has the ability to track every tap of your screen while you browse in its iOS app, including typed passwords and clicked links, according to new research by software engineer Felix Krause.
In-app browsing refers to any activity on third-party sites that open in the app, rather than in an external window.
On Thursday, Krause released a report examining the JavaScript code social media platforms inject into third-party sites that allow it to track the activity of users.
Krause’s security tool, InAppBrowser.com, revealed the TikTok iOS app has the ability to monitor all keystrokes, text inputs and screen taps, which could include sensitive personal data like credit card information and passwords.
Krause noted, though, that “just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious”.
“There is no way for us to know the full details on what kind of data each in-app browser collects, or how – or if – the data is being transferred or used,” he said.
Priyadarsi Nanda of the University of Technology Sydney’s School of Electrical and Data Engineering said collecting information about keystrokes closely resembles the behaviour of keyloggers, a type of malware.
“Whichever website you go to, it takes your inputs,” he said. “This is definitely a concern for any app you don’t trust.”
A TikTok spokesperson told Guardian Australia the “report’s conclusions about TikTok are incorrect and misleading”.
“The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects,” the spokesperson said.
“Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”
Besides TikTok, Krause assessed the iOS apps of Instagram, Facebook, Facebook Messenger, Amazon, Snapchat and Robinhood. TikTok was the only app found not to offer users the option of switching from in-app browsing to an external browser when accessing third-party sites.
“TikTok had the most extensive surveillance capabilities,” Uri Gal, professor of business information systems at the University of Sydney, said.
“Many people who use the app are unaware of the surveillance conducted about them within [it]. The user base of TikTok is by far younger than Facebook’s and Instagram’s … that makes them much more vulnerable.”
Gal said TikTok “presents a different kind of risk” because of parent company ByteDance’s suspected ties to the Chinese Communist party.
The surveillance functionality could be used to “gather as much information as possible for industrial espionage purposes, and shaping public opinion that is more toward their interests,” he said.
A report released by Australian-US cybersecurity firm Internet 2.0 in July warned the Chinese government could use the app to harvest personal information, from in-app messages to device locations.
ByteDance has denied a connection to the Chinese government in the past and called the claim “misinformation” after various leaks suggested it censors material that does not align with Chinese foreign policy aims or mentions the country’s human rights record.
Krause’s research found Instagram also has the ability to track screen taps, such as when users click on an image.
“There are data privacy and integrity issues when you use in-app browsers … such as how Instagram and TikTok show all external websites inside their app,” Krause wrote in the report.
Gal said Instagram and Facebook’s practices are almost as extensive as TikTok’s.
“Their primary motivation is almost purely commercial and financial, whereas with TikTok, there is a national security element that I don’t think is directly present with the others.”
A spokesperson for Instagram’s parent company, Meta, said “in-app web browsers are common across the industry”.
“At Meta, we use in-app browsers to enable safe, convenient, and reliable experiences, such as making sure auto-fill populates properly or preventing people from being redirected to malicious sites,” the spokesperson said.
“Adding any of these kinds of features requires additional code. We have carefully designed these experiences to respect users’ privacy choices, including how data may be used for ads.”
In a statement from TikTok included in Krause’s report, spokesperson Maureen Shanahan said: “Like other platforms, we use an in-app browser to provide an optimal user experience … like checking how quickly a page loads or whether it crashes.”
Nanda said the social media platforms do not disclose how much personal data remains with the company or whether it is shared with third parties.
“They can pass on that information to third party service providers, which is instrumental in launching sophisticated attacks of any nature,” Nanda said, pointing to hacks that steal data such as credit card information, and malware attacks that freeze computers or lock files. “That is the real risk.”