Stop using browsers in the app now

Another week passes and another data report reveals a potential privacy nightmare for TikTok users: A security researcher recently discovered that TikTok’s in-app browser injects JavaScript into external websites, leading to potential security risks. This is just the latest security issue for the social media giant, which is still facing scrutiny from US lawmakers after leaked audio revealed the video-hosting service may have been sharing US user data with China.

TikTok is very popular Y owned by a Chinese company. Given the political tension between the two countries, it is not surprising that many US-based media outlets jumped at the chance to report on security researcher Felix Krause’s findings. On his website, Krause says his tests show that when a user opens a web page within TikTok’s iOS app, the app’s browser injects code that subscribes to all keyboard input and each tap on the screen. According to Krause, “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third-party websites.”

A TikTok spokesperson admitted that the app injects JavaScript into websites, but insisted: “Contrary to the report’s claims, we do not collect keystrokes or text input through this code, which is used solely for debugging, troubleshoot and monitor performance.


Browsers in the app can track you

The concern about TikTok’s in-app browser isn’t just Chinese scaremongering. We do not know the full details about the specific data that the TikTok in-app browser collects or how it uses that data. Krause’s research shows that JavaScript commands executed by the TikTok app’s browser could, in theory, be used to collect information such as credit card numbers, passwords, social security numbers, and other highly sensitive personal data.

The good news is that TikTok says it doesn’t collect that information. The bad news is that even if we believe ByteDance Ltd, the company behind TikTok, other popular apps from different companies also have browsers that can track you across the web. In researching it, Krause noted that Amazon, Facebook, Messenger, Instagram, Robinhood, and Snapchat also have in-app browsers.

Apple and Google have been taking steps in recent years to prevent advertisers from tracking mobile users on the web. Google Chrome is carrying out a cookie substitution plan. Apple requires all apps in its store to ask for explicit permission from users before tracking their data on third-party apps or websites.


What is an in-app browser?

App developers circumvent tracking deterrents by creating in-app browsers. In-app browsers open ads and links by default in an app. In his study, Krause used the Instagram app as an example. Instagram injects a JavaScript tracking code on every site you open within the app. In accordance with its Privacy Policy, Instagram knows what you tapped on the app, what images you viewed, how long you spend on a page, and other similar information. This data is used to create a portrait of you, the user, which helps determine what types of ads you see on Instagram or other Meta properties.

There are perfectly valid reasons, not adjacent to advertising, why developers might build in-app browsers. Krause gives the example of an airline that uses a prebuilt web interface to implement seat selection within its application.

Some apps only use in-app browsers for internal pages, like a privacy policy statement or terms of service agreement. When users tap a link to an external site, it opens with the user’s default browser.


How to avoid the use of browsers in the application

The most important tip here is to avoid entering sensitive information into a browser in the app. Please take the time to read each app’s privacy policy to learn what information the company collects and how it uses that data.

If you click a link or ad in an app by mistake, close it. If you want to visit the link safely, follow the tips below:

  • switch to a secure browsersecure browser. Most apps allow you to switch to Safari or the default browser on your device if you open a website using the app’s built-in browser. The process varies by app, but if you’re on a website while using an app, try finding three dots or a Settings button. Tap that button to open a Settings menu. One of the options can be “Open in browser”. If you don’t see any Settings menu option, simply copy and paste the URL from your browser’s address bar into your chosen browser.
  • Use the web version of a service. You can also stop using the app altogether, which may be a good idea if you want to reduce the amount of personal information you share on social media or reduce your overall social media usage. There are web versions of almost all social media platforms. You can scroll and comment on anything you want using the web version of Facebook or Instagram without worrying about accidentally giving out personal information.

Do you like what you are reading? Get a bonus story delivered to your inbox weekly. Sign up for the SecurityWatch newsletter.


What else is happening in the security world this week?

Fake DDoS protection pages on WordPress sites offer malware. The malware works as a remote access Trojan capable of taking over a PC.

Google defends itself from a record-breaking DDoS attack. The attack was 76% more powerful than the HTTPS DDoS attack that hit Cloudflare in June.

The Amazon ring fixes a flaw that could have allowed hackers to access camera footage. The flaw required Ring users with Android devices to install a malicious app. The company quietly released a patch for the problem in May.

Can you trust a VPN to protect your iPhone? Back in 2018, Apple allowed iOS to leak your data when running a VPN.

Time to patch: Hackers are exploiting 2 flaws in iOS, macOS. One flaw can execute malicious computer code in Apple’s WebKit engine, the other can elevate system privileges.

Be the first to comment

Leave a Reply

Your email address will not be published.


*