China app should be able to tap passwords
On iOS, TikTok can read everything that users write in the in-app browser. This is what security expert Felix Krause claims, who had previously warned against Facebook and Instagram. TikTok says in a statement that it would only improve the user experience.
Version:23.3.4
Languages:German
Platforms:Android
TikTok: Expert warns about in-app browsers
After taking a detailed look at the iOS apps from Facebook and Instagram, security expert and former Google employee Felix Krause has now turned his attention to TikTok. Just like with the apps of the Meta Group, he also sees considerable risks with TikTok. Using the TikTok in-app browser, the operator can use ByteDance monitor and store all user input on websites.
In-app browsers are used whenever an external link is tapped in apps such as Facebook, Instagram or TikTok. According to Krause, the operators inject JavaScript code that enables keyboard entries to be read. This includes sensitive data such as passwords, addresses or payment information. Krause also reports that the apps can log every screen input.
“From a technical point of view, this is equivalent to the Installation of a keylogger on third-party websites,” Krause summarizes his investigation. However, he also points out that the technical possibility does not mean that the app operators are also up to something evil.
This argument also introduces ByteDance. It says in a statement, that TikTok does place JavaScript code on web pages, but this is only for troubleshooting and performance monitoring. The aim is to ensure an “optimal user experience” (source: forbes).
More tech news at a glance:
Check TikTok monitoring yourself
Krause has released a tool that users can use to check whether and which JavaScript code apps inject into websites. To do this, the address must be InAppBrowser.com shared in the app e.g. in the form of a message to another user. The link is then tapped.