TikTok's in-app keyboard on iOS has the capability of stealing personal data you type

TikTok's in-app keyboard on iOS has the capability of stealing personal data you type
How secure would you feel if Facebook, Instagram, and TikTok were able to track every keystroke you made on your iPhone? According to Felix Krause, developer of a website called InAppBrowser.com (via The Verge), the in-app keyboard used by popular apps such as TikTok, Facebook, and Instagram has the potential to use JavaScript to grab your credit card data, address, passwords, and more without your permission on iOS.

TikTok, Facebook, and Instagram's in-app QWERTY could track every keystroke on an iPhone

TikTok, Facebook, Instagram, and Facebook Messenger could track your keystrokes if you use their in-app keyboards. Interestingly, all of the apps just mentioned except one will allow you to use your default QWERTY to type on. The one app that doesn't allow this is TikTok which recently upset another U.S. presidential administration concerned about national security. For its part, TikTok went on its Twitter account to send a tweet that says, "The report's conclusions about TikTok are incorrect and misleading. Contrary to its claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting and performance monitoring."

Back in June, FCC commissioner Brendan Carr said that TikTok should be removed from the Apple App Store and Google Play Store. He called TikTok a "sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data," and cited new reports revealing that sensitive data was being sent to Beijing.

Krause said that TikTok "subscribes to every keystroke happening on third party websites rendered inside the TikTok app." The developer said, "Even though the injected script doesn’t currently do this, running custom scripts on third party websites allows them to monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers."

Krause added, "I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing." Facebook and Instagram parent Meta responded by saying that Facebook and Instagram users already consented to be tracked in order to use the apps. Meta also stated that the data it collects is used only for targeted advertising or for "measurement purposes."

Developer explains how to use his InAppBrowser.com website

A Meta spokesman said, "We intentionally developed this code to honor people's choices on our platform. The code allows us to aggregate user data before using it for targeted advertising or measurement purposes...For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill." That's the feature that automatically fills out certain fields on apps and websites based on previously collected data such as your name, address, phone number and more.

Krause says, "InAppBrowser.com is designed for everybody to verify for themselves what apps are doing inside their in-app browsers." The developer conceded that his site does have limitations adding, "This tool can’t detect all JavaScript commands executed, as well as doesn’t show any tracking the app might do using native code." To use the InAppBrowser.com site, tap this link and follow the following four directions as posted on the developer's FAQ site:

  1. Open an app you want to analyze.
  2. Share the URL https://InAppBrowser.com somewhere inside the app (e.g. send a DM to a friend or post to your feed).
  3. Tap on the link inside the app to open it.
  4. Read the report on the screen.

During the Trump years, the president at first wanted to ban the app for national security reasons. Then, he tried to broker a sale of TikTok's U.S. operations to interested American firms which included Oracle, Walmart (!), and Microsoft. In September 2020, Trump said that he had a deal "in concept" that would have seen Oracle and Walmart buy the U.S. arm of TikTok.

Trump's proposed deal included a large payment that would have been made to the U.S. Treasury although it turned out that this demand from Trump would have been illegal. No deal was ever made as Trump lost interest in TikTok heading into the last couple of months before the 2020 presidential election. It should be noted that in July 2020, the Biden campaign directed all staff to remove TikTok from their devices.
Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless