Multiple articles last week carried the news that researcher Felix Krause had discovered TikTok included keystroke trackers.
Not so fast.
Krause in a blog post says his research shows the code is there that could allow keystroke tracking, but that’s not what’s happening. Also, TikTok is not the only app including JavaScript that makes tracking possible.
“Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious,” Krause said in his blog post.
“There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used. This publication is stating the JavaScript commands that get executed by each app, as well as describing what effect each of those commands might have.”
Krause explains that when you open a link on TikTok, it opens in their in-app browser.
That browser tracks multiple items, which could include each keystroke.
In response to his findings earlier, Krause has introduced InAppBrowser.com, a simple tool to list the JavaScript commands executed by the iOS app rendering the page.
In his blog post, Krause explains how to use InAppBrowser.com. TikTok then responded to Krause’s discovery of the Javascript commands and the company confirmed those features exist in the code but said TikTok is not using them.
“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting, and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,” spokesperson Maureen Shanahan said in a statement.
Also important to note, TikTok is not the only app using the code that could allow tracking. Meta’s Instagram injects script onto third-party websites as well.
Krause was able to find the following commands Instagram executes:
- Instagram iOS subscribes to every tap on any button, link, image, or other component on external websites rendered inside the Instagram app.
- Instagram iOS subscribes every time the user selects a UI element (like a text field) on third-party websites rendered inside the Instagram app.
Krause includes a link to everything he found on Instagram in his blog post.
Meta responded via a tweet saying, “The code in question allows us to respect people’s privacy choices by helping aggregate events (such as making a purchase online) from pixels already on websites before those events are used for advertising or measurement purposes.”
Another important note, Krause said, is that when he talks about “App subscribes to”, he means that the app subscribes to the JavaScript events of that type (e.g. all taps). There is no way to verify what happens with the data.
In his blog post announcing InAppBrowser, Krause includes more information about in-app browsing and how it could be used to track and other JavaScript information people will be interested in knowing, including how to stay safe while using apps.
He includes again though that the companies using JavaScript to track are not stealing passwords, addresses, and credit card numbers.
“I wanted to showcase that bad actors could get access to this data with this approach,” Krause said in his blog post.
“As shown in the past, if it’s possible for a company to get access to data legally and for free, without asking the user for permission, they will track it.”
Mary Beth Lee retired from teaching in Texas this year after 28 years as a student media adviser. She spends her time these days reading, writing, fighting for public education and enjoying the empty nester life in Downtown Fort Worth.
