TikTok is very popular Y owned by a Chinese company. Given the political tension between the two countries, it is not surprising that many US-based media outlets jumped at the chance to report on security researcher Felix Krause’s findings. On his website, Krause says his tests show that when a user opens a web page within TikTok’s iOS app, the app’s browser injects code that subscribes to all keyboard input and each tap on the screen. According to Krause, “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third-party websites.”
Browsers in the app can track you
The good news is that TikTok says it doesn’t collect that information. The bad news is that even if we believe ByteDance Ltd, the company behind TikTok, other popular apps from different companies also have browsers that can track you across the web. In researching it, Krause noted that Amazon, Facebook, Messenger, Instagram, Robinhood, and Snapchat also have in-app browsers.
Apple and Google have been taking steps in recent years to prevent advertisers from tracking mobile users on the web. Google Chrome is carrying out a cookie substitution plan. Apple requires all apps in its store to ask for explicit permission from users before tracking their data on third-party apps or websites.
What is an in-app browser?
There are perfectly valid reasons, not adjacent to advertising, why developers might build in-app browsers. Krause gives the example of an airline that uses a prebuilt web interface to implement seat selection within its application.
How to avoid the use of browsers in the application
If you click a link or ad in an app by mistake, close it. If you want to visit the link safely, follow the tips below:
- switch to a secure browsersecure browser. Most apps allow you to switch to Safari or the default browser on your device if you open a website using the app’s built-in browser. The process varies by app, but if you’re on a website while using an app, try finding three dots or a Settings button. Tap that button to open a Settings menu. One of the options can be “Open in browser”. If you don’t see any Settings menu option, simply copy and paste the URL from your browser’s address bar into your chosen browser.
- Use the web version of a service. You can also stop using the app altogether, which may be a good idea if you want to reduce the amount of personal information you share on social media or reduce your overall social media usage. There are web versions of almost all social media platforms. You can scroll and comment on anything you want using the web version of Facebook or Instagram without worrying about accidentally giving out personal information.
Do you like what you are reading? Get a bonus story delivered to your inbox weekly. Sign up for the SecurityWatch newsletter.
What else is happening in the security world this week?
Fake DDoS protection pages on WordPress sites offer malware. The malware works as a remote access Trojan capable of taking over a PC.
Google defends itself from a record-breaking DDoS attack. The attack was 76% more powerful than the HTTPS DDoS attack that hit Cloudflare in June.
The Amazon ring fixes a flaw that could have allowed hackers to access camera footage. The flaw required Ring users with Android devices to install a malicious app. The company quietly released a patch for the problem in May.
Can you trust a VPN to protect your iPhone? Back in 2018, Apple allowed iOS to leak your data when running a VPN.
Time to patch: Hackers are exploiting 2 flaws in iOS, macOS. One flaw can execute malicious computer code in Apple’s WebKit engine, the other can elevate system privileges.