TikTok's In-App Browser Can Monitor Your Keystrokes, Researcher Says

The app inserts code that can track activity on sites its browser is used to access, says a privacy researcher. TikTok says it uses the code for things like debugging.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
2 min read

TikTok has the ability to monitor keystrokes through its in-app browser, new research shows.

Sarah Tew/CNET

TikTok's in-app browser has the ability to monitor certain kinds of user activity on the external websites accessed with it, new research shows.

According to research published Thursday by Felix Krause, a Vienna-based software researcher, when TikTok users access a website through a link in the TikTok app, the app inserts code into the website that allows TikTok to monitor activity like keystrokes and what users are tapping on that site. 

That could allow TikTok to capture personal user information like credit card numbers and passwords, though the company claims it doesn't do that. The app is able to insert the code and modify the websites to allow that monitoring because the sites are opened in TikTok's in-app browser, rather than in a standard one like Chrome or Safari.

"This was an active choice the company made," Krause told Forbes, which first reported the findings. "This is a non-trivial engineering task. This does not happen by mistake or randomly." Krause is the founder of the app-testing company Fastlane, which Google acquired five years ago

TikTok issued a statement calling the report's conclusions "incorrect and misleading," noting that Krause specifically says in the report that the existence of the code doesn't mean the app is doing anything malicious.

"Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting and performance monitoring," the company said in its statement.

TikTok added that the code is part of a third-party software development kit, or SDK, a set of tools used to build or maintain apps, and that the SDK includes features TikTok doesn't use.

The news comes amid long-running security and surveillance concerns about the TikTok app and its ownership by the Chinese company ByteDance. Some US officials say TikTok threatens national security because ByteDance could share data about Americans collected through the app with the Chinese government, which could then weaponize it against Americans. TikTok has repeatedly said it would never do this. 

Krause's research looked at more than just TikTok. In total, he tested seven iPhone apps that use in-app browsers, including TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon and Robinhood. Of those, TikTok is the only one that appears to monitor keystrokes, Krause said. Krause didn't test the Android version of TikTok's app.