The web browser used in the TikTok app can track every keystroke made by its users, according to new research that comes as the Chinese-owned video app grapples with US lawmakers’ concerns over its data practices.
The research from Felix Krause, a privacy researcher, and former Google engineer, does not show how TikTok uses the capability, which is embedded within the app’s in-browser that appears when someone clicks on an outside link. But Krause said the development is concerning because it shows TikTok has built-in functionality to track users’ online habits if they choose to do so.
Collecting information about what people type on their phones when visiting outside websites, which can reveal credit card numbers and passwords, is often a feature of malware and other hacking tools. While major tech companies may use such trackers when they test new software, it is not common for them to release major commercial apps with the feature, whether it is enabled or not, the researchers said.
“Based on Krause’s findings, the way TikTok’s in-app browser monitors keystrokes is problematic, as users might enter their sensitive data such as login credentials on external websites,” said Jane Manchun Wong, an independent software engineer and security researcher who studies apps for new features.
She said TikTok’s in-app browser can “extract information from users’ external browsing sessions, which some users find too much.”
In a statement, TikTok, which is owned by Chinese internet company ByteDance, said that Krause’s report was “untrue and misleading” and that the feature was used for “debugging troubleshooting, and performance monitoring.”
“Contrary to the report’s claims, we do not collect keystroke or text input through this code,” TikTok said.
Krause, 28, said he could not confirm whether keystrokes were actively tracked and whether that data was sent to TikTok.
The research could raise questions for TikTok in the United States, where government officials have scrutinized whether the popular app could jeopardize US national security by sharing information about Americans with China. Although debate in Washington, D.C., about the app, has receded under the Biden administration, new concerns have emerged in recent months after revelations from BuzzFeed News and other news outlets about TikTok’s data practices and its relationship with its Chinese parent.
Apps sometimes use in-app browsers to prevent people from visiting malicious sites or to make online browsing easier by auto-filling text. But while Facebook and Instagram can use in-app browsers to track data such as what sites a person visits, what they highlight, and which buttons they press on websites, TikTok goes a step further by using code that can track every character entered by users, Krause said.
A spokesperson for Meta, the parent company for Facebook and Instagram, declined to comment.
Krause said that he conducted research on TikTok only on Apple’s iOS operating system and noted that keystroke tracking would only occur within the in-app browser.
As with many apps, TikTok offers little opportunity for people to click out of its service. Instead of redirecting to a mobile web browser like Safari or Chrome, the in-app browser appears when users click on ads or links embedded in other users’ profiles. These are often times when people enter important information such as credit card details or passwords.
In a CNN interview in July, Michael Beckerman, a TikTok policy executive, denied that the company logged users’ keystrokes but acknowledged monitoring their patterns, such as typing frequency, to protect against fraud.
Krause said he was concerned that the tools had a “very similar architecture” and could be reused to track keystroke content.
“The problem is they have the infrastructure set up to do this,” he said.