How TikTok’s in-app browser threatens your privacy

Share this page

TikTok’s in-app browser can track every button or link you tap and every keystroke you type, according to an iOS Privacy review article from tech privacy researcher Felix Krause. This goes beyond the standard data collection we’ve sadly come to expect from social media apps in this age of surveillance capitalism. The idea that one of the largest social media platforms in the world has the capacity to monitor and record every single thing you type is shocking. 

You should avoid in-app browsers

Pervasive tracking is unfortunately standard in many in-app browsers. In an earlier review of Facebook and Instagram in-app iOS browsers, Mr. Krause discovered that they insert JavaScript code into the websites you visit, allowing them to create commands that alert it to all of your activity. Using this injected code, these browsers can track “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers”, according to Mr. Krause. However, these apps at least let you open links using your default browser.

TikTok’s in-app browser goes even further. It inserts JavasScript code to track all your interactions with a website, just like Facebook and Instagram, but it can also track your individual keystrokes. And unlike Instagram and Facebook, TikTok doesn’t give you the option to open links using your default browser. If you follow a link in TikTok, you must use its in-app browser (or copy the link and paste it into your default browser).

What does TikTok say about its keylogging?

TikTok confirmed that the features Mr. Krause found exist but said they do not actively monitor or record user activity or keystrokes.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes”, said TikTok’s spokesperson Maureen Shanahan in a statement to Forbes.

Essentially, TikTok is admitting that it can track all your activity and keystrokes anytime it wants — it simply has chosen not to, and it’s asking us to trust that it won’t.

TikTok’s privacy problems

TikTok’s record doesn’t indicate that it has earned this level of trust. The discovery of keylogging is the latest in a series of privacy-related scandals that have plagued TikTok, the first Chinese social media platform to be used globally. 

All of these scandals spring from TikTok’s two core issues with privacy: 

  • It collects vast amounts of data.
  • it can be forced to share that data with the Chinese government on a whim. 

TikTok’s data overreach

The idea of a service’s in-app browser containing malware-like keyloggers might be shocking, but not if you read through TikTok’s US privacy policy. Under “Information We Collect Automatically”, not only does it explicitly state that it can collect “keystroke patterns or rhythms”, it also includes: 

  • Your age range, gender, and interests — data TikTok infers “based on the information we have about you”
  • Your device’s IP address
  • Your search history on the platform
  • Your mobile carrier
  • Your device ID
  • Your connected audio devices
  • Your device’s operating system
  • Your time zone settings
  • The names and types of the files stored on your device

The US privacy policy also states that it “may also associate you with information collected from devices other than those you use to log-in to [TikTok]”. In other words, TikTok reserves the right to monitor information on devices it can tie to you even if you don’t use TikTok on that device. This is only a portion of the data the platform collects, but it is emblematic of the company’s drastic data surveillance overreach.

TikTok has already faced legal battles over its reckless approach to data collection. In 2021, the company agreed to a $92 million settlement to resolve a class-action lawsuit that alleged it collected data from 89 million US citizens, including minors, without their consent. This information was then shared with third parties, some of which were based in China. 

The Chinese government’s access to data

As we discussed in our previous article on TikTok, TikTok is owned by ByteDance, a multi-billion dollar company based in China. Under China’s 2017 National Intelligence Law, the Chinese government can compel any Chinese company to share any information it has on its users. 

In response to concern from Washington, TikTok began storing its US users’ information in data centers located in the US in 2021, hypothetically putting it outside the reach of the Chinese Communist Party. Dubbed “Project Texas”, it was ByteDance’s attempt to reassure US regulators that it takes data privacy seriously. 

In June 2022, however, BuzzFeed reported that leaked audio from over 80 internal TikTok meetings revealed that US user data was repeatedly accessed by ByteDance’s China-based employees. Excerpts from these conversations include “Everything is seen in China”, and “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting”.

How you can protect your privacy

If you’re worried about TikTok or Meta surveilling your online activity using their in-app browsers, your best step is to avoid them entirely. This isn’t as hard as it may sound, because Instagram and Facebook allow you to open apps using your default browser — which you should, every time, regardless of what page you are viewing. 

Even better, you can copy and paste the link from those platforms into your browser directly. If you use a privacy-focused browser (for example, Firefox or Brave) and Proton VPN, you can prevent your online activity from being recorded.

TikTok makes things more difficult. TikTok doesn’t give you the option to open links in your default browser. To open a website from TikTok in your default browser, you need to:

  • Tap the link and open it in TikTok’s in-app browser.
  • Find another link on the website and long press it in TikTok’s in-app browser. This will bring up the option for you to copy that link or open it in your default browser.

TikTok will still see that you’ve visited the website, but they won’t be able to watch your browsing.

However, the best way to prevent TikTok from abusing your data is to prevent it from collecting it in the first place. While TikTok claims it’s using keylogging solely for debugging and performance monitoring, you have no way of knowing what data it’s collecting on you now — or could collect anytime in the future. We have a guide on how to delete your TikTok if you’re so inclined.

Learn how to delete TikTok and clear your data

Share this page

Related articles

When Proton began in 2014, our only service was Proton Mail. Proton VPN, our second service, came out in 2017, and we recently released Proton Calendar and Proton Drive. As we grew and released new services, we realized we needed to unify the Proton
Since we launched Proton Mail in 2014 as the world’s first encrypted email service, Proton’s mission has been to make online privacy and freedom available for all. Today, we’re excited to take an important next step by launching Proton Drive as a fre
We need an internet that puts people first again. We’ve signed a pledge with Neeva, Brave, The Tor Project, and others to help make a more private internet a reality. People overwhelmingly want an internet that puts them first. In the last year alon