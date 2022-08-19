U.S. markets open in 1 hour 30 minutes

  • S&P Futures

    4,247.00
    -39.50 (-0.92%)
     

  • Dow Futures

    33,733.00
    -248.00 (-0.73%)
     

  • Nasdaq Futures

    13,383.00
    -140.25 (-1.04%)
     

  • Russell 2000 Futures

    1,979.30
    -22.40 (-1.12%)
     

  • Crude Oil

    88.48
    -2.02 (-2.23%)
     

  • Gold

    1,765.90
    -5.30 (-0.30%)
     

  • Silver

    19.18
    -0.28 (-1.43%)
     

  • EUR/USD

    1.0052
    -0.0040 (-0.39%)
     

  • 10-Yr Bond

    2.8800
    0.0000 (0.00%)
     

  • Vix

    20.75
    +0.85 (+4.27%)
     

  • GBP/USD

    1.1833
    -0.0099 (-0.83%)
     

  • USD/JPY

    137.0250
    +1.1630 (+0.86%)
     

  • BTC-USD

    21,456.28
    -2,070.56 (-8.80%)
     

  • CMC Crypto 200

    509.90
    -47.83 (-8.58%)
     

  • FTSE 100

    7,558.59
    +16.74 (+0.22%)
     

  • Nikkei 225

    28,930.33
    -11.81 (-0.04%)
     

TikTok's in-app browser could be keylogging, privacy analysis warns

Natasha Lomas
·4 min read

'Beware in-app browsers' is a good rule of thumb for any privacy conscious mobile app user -- given the potential for an app to leverage its hold on user attention to snoop on what you're looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok's in-app browser after independent privacy research by developer Felix Krause found the social network's iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging.

"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data," warns Krause in a blog post detailing the findings. "We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites." [emphasis his]

After publishing a report last week -- focused on the potential for Meta's Facebook and Instagram iOS apps to track users of their in-app browsers -- Krause followed up by launching a tool, called InAppBrowser.com, that lets mobile app users get details of code that's being injected by in-app browsers by listing JavaScript commands executed by the app as it renders the page. (NB: He warns the tool does not necessarily list all JavaScript commands executed nor can it pick up tracking an app might be doing using native code -- so at best it's offering a glimpse of potentially sketchy activities.)

Krause has used the tool to produce a brief, comparative analysis of a number of major apps which appears to put TikTok at the top for concerning behaviors vis-a-vis in-app browsers -- on account of the scope of inputs it's been identified subscribing to; and the fact it does not offer users an option to use a default mobile browser (i.e. rather than its own in-app browser) to open web links. The latter means there's no way to avoid TikTok's tracking code from being loaded if you use its app to view links -- the only option to avoid this privacy risk is to cut out of its app altogether and use a mobile browser to directly load the link (and if you can't copy-paste it you'll have to be able to remember the URL to do that).

Krause is careful to point out that just because he has found TikTok is subscribing to every keystroke a user makes on third party sites viewed inside its in-app browser does not necessarily mean it's doing "anything malicious" with the access -- as he notes there's no way for outsiders to know the full details on what kind of data is being collected or how or if it's being transferred or used. But, clearly, the behavior itself raises questions and privacy risks for TikTok users.

We reached out to TikTok about the tracking code it's injecting into third party sites and will update this report with any response.

Meta-owned apps Instagram, Facebook and FB Messenger, were also found by Krause to be modifying third party sites loaded via their in-app browsers -- with "potentially dangerous" commands, as he puts it -- and we've also approached the tech giant for a response to the findings.

Privacy and data protection are regulated in the European Union, by laws including the General Data Protection Regulation and the ePrivacy Directive, so any tracking being undertaken of users in the region that lacks a proper legal base could lead to regulatory sanction.

Both social media giants have already been subject to a variety of EU procedures, investigations and enforcements around privacy, data and consumer protection concerns in recent years -- with a number of probes ongoing and some major decisions looming.

TikTok ‘pauses’ privacy policy switch in Europe after regulatory scrutiny

Krause warns that public scrutiny of in-app browser JavaScript tracking code injections on iOS is likely to encourage bad actors to upgrade their software to make such code undetectable to external researchers -- by running their JavaScript code in the "context of a specified frame and content world" (aka WKContentWorld), which Apple has provided since iOS 14.3; introducing the provision as an anti-fingerprinting measure and so website operators can’t interfere with the JavaScript code of browser plugins (but the tech is evidently a double-edge sword in the context of tracking obfuscation) -- arguing it's thus "more important than ever to find a solution to end the use of custom in-app browsers for showing third party content".

Despite some concerning behaviors being identified in mobile apps running on iOS, Apple's platform is typically touted as more privacy safe than the Google-flavored mobile OS alternative, Android -- and it's worth noting that apps which follow Apple’s recommendation of using Safari (or SFSafariViewController) for viewing external websites were found by Krause to be "on the safe side" -- including Gmail, Twitter, WhatsApp and many others -- as he says Cupertino's recommended method means there's no way for apps to inject any code onto websites, including by deploying the aforementioned isolated JavaScript system (which might otherwise be used to obfuscate tracking code).

Instagram faces big EU privacy decision on kids’ data within weeks

After EU child safety complaints, TikTok tweaks ad disclosures but profiling concerns remain

Facebook avoids a service shutdown in Europe for now

Recommended Stories

  • Facebook is losing its grip as a 'Top 10' app as BeReal and TikTok grow

    Facebook this year has been struggling to maintain its position among the Top 10 apps on the U.S. App Store, according to an analysis of iPhone App Store data. As younger consumers shift to newer social networking experiences like TikTok and now BeReal, the tech giant's big blue app has lost traction in the App Store's Top Charts. Last year, for instance, Facebook only fell out of the Top 10 free iPhone apps in the U.S. seven times.

  • Instagram, Snapchat, TikTok Cause Mental Health Problems in Teens, Lawsuits Claim

    Meta, TikTok and Snap were hit with three new lawsuits accusing them of fueling mental health disorders in teenage users. The plaintiffs are among a wave of parents and their children that are taking social media platforms to court arguing that the companies not only hook users but do so knowing the harms they pose. […]

  • Ashley Tisdale Recreates High School Musical ’s "I Want It All" With TikToker Chris Olsen

    Ashley Tisdale and Chris Olsen joined forces to make a TikTok using the High School Musical song "I Want It All." Learn about their watch-worthy collaboration.

  • Apple security alert: How to update your iPhone software and ensure you are safe from latest security bug

    Vulnerability may already have been used by hackers to take control of people’s phones

  • Qualcomm Is Plotting a Return to Server Market With New Chip

    (Bloomberg) -- Qualcomm Inc. is taking another run at the market for server processors, according to people familiar with its plans, betting it can tap a $28 billion industry and decrease its reliance on smartphones.Most Read from BloombergApple Targets Sept. 7 for iPhone 14 Launch in Flurry of New DevicesXi and Putin to Attend G-20 Summit in Indonesia, Jokowi SaysCovid’s Harmful Effects on the Brain Reverberate Years LaterBiden's Next Grand Bargain Could Retire TrumpBiden Called Cheney After He

  • Chinese Chip Software Maker Behind Mystery Buyer UK Blocked

    (Bloomberg) -- A two-year-old Shanghai-based developer of chip design software was behind an attempt to buy a British firm that regulators blocked with little explanation, the latest example of Britain’s increasing hostility toward Chinese investment.Most Read from BloombergApple Targets Sept. 7 for iPhone 14 Launch in Flurry of New DevicesXi and Putin to Attend G-20 Summit in Indonesia, Jokowi SaysCovid’s Harmful Effects on the Brain Reverberate Years LaterBiden's Next Grand Bargain Could Retir

  • iOS update: Apple releases urgent new versions of iPhone, Mac and iPad operating system to fix security bug

    Owners of iPhones, Macs and iPads have been urged to update their devices as soon as possible, after Apple released a new security update. What’s more, Apple says the vulnerabilities “may have been actively exploited”, meaning that any devices that have not been updated could be running the risk of attack. The new updates do not include any other changes or security fixes, according to their release notes.

  • A REIT Just Dipped Its Toe In Autonomous Security With New 'Robocop'-Like Firm

    A 60-year-old real estate development, investment, and management firm with over 19,100 units under management in 19 U.S. states has signed a contract for Knightscope, Inc's (NASDAQ: KSCP) K1 and K5 Autonomous Security Robots (ASRs). Advanced security technology company Knightscope builds fully autonomous security robots that deter, detect, and report. Similar to the RoboCop movie, which identifies and apprehends a criminal in the crowd, these security robots help remote monitoring from anywhere

  • Along's new mobile app lets creators record 'infinite length' video collabs

    All major social networks, including Instagram, TikTok, and Snapchat, have their own take on how collaborations should work. A new app called Along wants to remove all these restrictions to allow infinite-length collaboration videos with multiple creators. A creator can start a tape by recording a clip and later add as many clips as they want.

  • Reddit launches a new developer portal to give third-party apps and bots a boost

    Any Redditor knows that the best thing about Reddit is bearing witness to the strange and occasionally brilliant stuff that the community itself comes up with — and the company is well aware of that too. Reddit is announcing today that it will open up a waitlist for developers who want to build software for the platform using a new toolkit from the company. The company plans to pair the new toolkit with a directory of third-party software extensions that moderators and Redditors alike can browse from to craft a custom Reddit experience.

  • Qualcomm planning return to server market with new chip - Bloomberg News

    Shares of Qualcomm rose nearly 3% in afternoon trading. The chipmaker is seeking customers for a product stemming from its purchase of Nuvia Inc, the report said, adding that Amazon.com Inc's cloud division, Amazon Web Services (AWS), has agreed to take a look at Qualcomm's offerings.

  • Almost 75% of iPhone users have activated Apple Pay: Report

    Yahoo Finance Live's Dave Briggs and Seana Smith look at how many iPhone users and consumers use payment apps for everyday purchases.

  • Snap stops development of flying selfie drone Pixy - WSJ

    Pixy, which costs $230, will continue to be sold in its current iteration, according to the report. The news comes nearly four months after the Santa Monica, California-based company launched the pocket-sized camera, which can fly a few feet above its user to take photos and videos. Snap declined to comment on the report.

  • There’s real value for auto makers in the metaverse. Those who say it’s just a play world are wrong.

    In October 2021, Facebook announced it would change its name to Meta (META) And seemingly overnight, the idea of a Web3 revolution based on virtual-reality technology, blockchain and nonfungible tokens — also known as the metaverse — became buzzworthy. The metaverse is essentially a shared online space allowing users to create their own avatar and interact in a digital environment, built by virtue of technological innovations like blockchain, virtual and augmented reality as well as artificial intelligence.

  • iPhone 14: Apple event date and new phone launch ‘revealed’ in new report

    New handset will be revealed in a live-streamed online event

  • Dogecoin, Elon Musk's Favorite Crypto, Gets Serious

    As their name suggests, meme coins are tokens that have no utility and are essentially jokes. Where Did Dogecoin Come From? Dogecoin features the image of the Shiba Inu dog as its logo and namesake.

  • Apple iPhone 14: How much could it cost and what pre-order deals can we expect?

    With a new smartphone expected to be announced on 7 September, we look at the possible price of the device

  • Apple releases iOS, iPadOS and macOS security fixes for two zero-days under active attack

    Apple released surprise software updates for iPhones, iPads and Macs on Wednesday that fix two security vulnerabilities known by Apple to be actively exploited by attackers. Apple said the WebKit bug could be exploited if a vulnerable device accessed or processed "maliciously crafted web content [that] may lead to arbitrary code execution," while the second bug allowed a malicious application "to execute arbitrary code with kernel privileges," which means full access to the device. Apple said iPhone 6s models and later, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), and all iPad Pro models are affected.

  • Alphabet (GOOGL) Updates Google Meet With Recent Capability

    Alphabet's (GOOGL) Google updates Google Meet with a noise cancellation feature to help users stay engaged in meetings.

  • Apple releases patches for major iOS and macOS security vulnerabilities

    One of the flaws could give attackers full control of iPhones, iPads and Mac computers.