You’re paging through your friends stories on Instagram and you see an ad for some legitimately cool looking sunglasses. Swipe up for more! So you do. It loads up the brand’s website. There you browse a few models of sunglasses. Maybe you looked at their other products as well. As it turns out, Meta, Instagram’s parent company (previously just called Facebook), could have tracked many of your interactions on that webpage. In fact, code found in the injected JavaScript in TikTok can even track your every keystroke. TikTok is the only app researchers tested that specifically adds the capability to log keystrokes, potentially including emails, passwords, personal information, and delicate financial information.
TikTok says they aren’t doing that. However, TikTok is the only company adding this capability to it’s in-app browser. It’s also the only app that restricts web usage to their in-app browser.
Wile many data-reliant companies collect data through in-app browsers, TikTok is potentially the worst. Still, it makes one thing very clear: you shouldn’t use your in-app browsers for anything.
In-App Browsers
When you click on a link in an app like Facebook, Discord, Instagram, and many others, it’ll open in an “In-App Browser.” This is a web browser that exists inside of your app. Simple, right? The idea of these browsers is to keep you in the app. They could simply launch into your default browser, like Safari on iOS, but app developers want a tight, unbroken experience. They also know every time you leave the app you might not come back. Most still offer the option to launch your default browser, but many users choose to just stay in the app they’re already in, rather than re-load the page. However, these in-app browsers don’t feature the content blockers you may have in Safari (like all third party browsers), and the host app can modify websites that it loads.
That also means they can add tracking capabilities to those websites.
… and Their Dangers
Screenshot via Felix Krause’s blog. Just because this tool found no trackers in some apps doesn’t mean they don’t exist.
Felix Krause developed fastlane, an app developer tool for distributing apps. He sold his company to Google and does technology research. He found that in-app browsers were injecting JavaScript code into the webpages they loaded. That code allowed the parent app to track user activity in the browser. In the case of Meta’s apps, Facebook, Facebook Messenger, and Instagram, this includes the ability to modify the page and grab information on the user’s interactions with that page.
TikTok, however, takes it a step further. TikTok’s injected code has the capability of reading every single keystroke a user enters, from passwords to credit card information. TikTok claims they don’t track this information. They also stated that this tracking is due to a third party software development kit (SDK) they’re using. Apple frequently make use of SKDs in their apps to extend the functionality of the app without making a part for themselves. Think of it like buying a TV for your home instead of making a TV yourself. However, TikTok would not say which SDK added that capability to their app. They also wouldn’t say why they’d choose to use an SDK that can track everything users type in the app in the first place.
“This was an active choice the company made. This is a non-trivial engineering task. This does not happen by mistake or randomly.”
– Felix Krause
You don’t accidentally start tracking every keystroke on a website. That’s a piece of malware more commonly known as a “keylogger.” While TikTok claims they haven’t made a keylogger, as they’re not collecting that information, it doesn’t change the fact that they are capable of logging every keystroke of any user. We currently can’t prove they aren’t, and only have their word to go off of. The same word that claims this is caused by a third party SDK, but can’t say which one.
InAppBrowser.com
Krause made a website, InAppBrowser.com, which can reveal many JavaScript trackers. While developers can hide this information, using iOS’ WKContentWorld, for example, many haven’t gone so far as to try this. Using his tool, you can easily test the apps you use, at least until they try to hide their tracking better. Simply enter the link somewhere in the app and follow it. It’ll tell you how the app is injecting JavaScript, and if any of that injected code can track you.
Much of it can.
Krause found that, while Meta and TikTok were both tracking users, only TikTok added the capability to log keystrokes. Furthermore, only TikTok refuses to let users open their webpages in the default browser. You have to stay in TikTok’s browser if you don’t want to leave the app and search for the webpage you were on. TikTok claims this is to make a seamless experience, but why not let users make the choice for themselves?
Could it have anything to do with the fact that their injected JavaScript wouldn’t load in the default browser?
The Alternative
Simply opening a link in the browser, rather than Instagram’s in-app browser, removes all of this tracking.
Above are two screenshots from my phone. In one, I opened inappbrowser.com in the Instagram in-app browser. You can see that it contains JavaScript made to track me across the web. However, the second one is a clean version of the webpage. How’d I do it? I tapped on the three dots in the upper right corner of the app, chose “Open in Browser,” and that was it. When you open a webpage in your actual browser like this, only the website URL gets passed along to your browser, not the injected JavaScript. It’s a clean way to load the website, without Meta’s trackers.
You should always do this. Either copy the link and paste it into an actual browser or select the option to open the website in your browser. TikTok doesn’t have this option. But if you’re still using TikTok, I’m going to go out on a limb and assume you like the service more than your privacy and security anyway. Meta’s apps (Facebook and Instagram), and TikTok are made to collect and monetize your data. TikTok might also have national security implications, and works the hardest to ensure you can’t disable their tracking, but it’s true that these are all bad. If you can, use the website version of these services to reduce tracking, especially if it’s with a different browser than you use for other browsing (for example, I use DuckDuckGo’s browser for Facebook). If you must use the app, at least open all webpages in your browser. You can still use these services and minimize the amount of data they collect on you.
Except TikTok. It’s pretty much impossible to cut down on what they collect. Sure is addictive though.
Sources:
- Emily Baker-White, BuzzFeed News
- Kyle Barr, Gizmodo
- S. Dent, Engadget
- Filipe EspĆ³sito, 9to5Mac
- Bree Fowler, Cnet
- Natasha Lomas, TechCrunch
- Nathaniel Mott, PC Mag
- Richard Nieva, Forbes