How TikTok’s in-app browser threatens your privacy

Richie Koch

Share this page

TikTok’s in-app browser can track every button or link you tap and every keystroke you type, according to an iOS Privacy review article(new window) from tech privacy researcher Felix Krause. This goes beyond the standard data collection we’ve sadly come to expect from social media apps in this age of surveillance capitalism. The idea that one of the largest social media platforms in the world has the capacity to monitor and record every single thing you type is shocking. 

You should avoid in-app browsers

Pervasive tracking is unfortunately standard in many in-app browsers. In an earlier review of Facebook and Instagram in-app iOS browsers(new window), Mr. Krause discovered that they insert JavaScript code into the websites you visit, allowing them to create commands that alert it to all of your activity. Using this injected code, these browsers can track “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers”, according to Mr. Krause. However, these apps at least let you open links using your default browser.

TikTok’s in-app browser goes even further. It inserts JavasScript code to track all your interactions with a website, just like Facebook and Instagram, but it can also track your individual keystrokes. And unlike Instagram and Facebook, TikTok doesn’t give you the option to open links using your default browser. If you follow a link in TikTok, you must use its in-app browser (or copy the link and paste it into your default browser).

What does TikTok say about its keylogging?

TikTok confirmed that the features Mr. Krause found exist but said they do not actively monitor or record user activity or keystrokes.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes”, said TikTok’s spokesperson Maureen Shanahan in a statement to Forbes(new window).

Essentially, TikTok is admitting that it can track all your activity and keystrokes anytime it wants — it simply has chosen not to, and it’s asking us to trust that it won’t.

TikTok’s privacy problems

TikTok’s record doesn’t indicate that it has earned this level of trust. The discovery of keylogging is the latest in a series of privacy-related scandals that have plagued TikTok, the first Chinese social media platform to be used globally. 

All of these scandals spring from TikTok’s two core issues with privacy: 

  • It collects vast amounts of data.
  • it can be forced to share that data with the Chinese government on a whim. 

TikTok’s data overreach

The idea of a service’s in-app browser containing malware-like keyloggers might be shocking, but not if you read through TikTok’s US privacy policy(new window). Under “Information We Collect Automatically”, not only does it explicitly state that it can collect “keystroke patterns or rhythms”, it also includes: 

  • Your age range, gender, and interests — data TikTok infers “based on the information we have about you”
  • Your device’s IP address
  • Your search history on the platform
  • Your mobile carrier
  • Your device ID
  • Your connected audio devices
  • Your device’s operating system
  • Your time zone settings
  • The names and types of the files stored on your device

The US privacy policy also states that it “may also associate you with information collected from devices other than those you use to log-in to [TikTok]”. In other words, TikTok reserves the right to monitor information on devices it can tie to you even if you don’t use TikTok on that device. This is only a portion of the data the platform collects, but it is emblematic of the company’s drastic data surveillance overreach.

TikTok has already faced legal battles over its reckless approach to data collection. In 2021, the company agreed to a $92 million settlement(new window) to resolve a class-action lawsuit that alleged it collected data from 89 million US citizens, including minors, without their consent. This information was then shared with third parties, some of which were based in China. 

The Chinese government’s access to data

As we discussed in our previous article on TikTok(new window), TikTok is owned by ByteDance, a multi-billion dollar company based in China. Under China’s 2017 National Intelligence Law(new window), the Chinese government can compel any Chinese company to share any information it has on its users. 

In response to concern from Washington, TikTok began storing its US users’ information in data centers located in the US in 2021, hypothetically putting it outside the reach of the Chinese Communist Party. Dubbed “Project Texas(new window)”, it was ByteDance’s attempt to reassure US regulators that it takes data privacy seriously. 

In June 2022, however, BuzzFeed(new window) reported that leaked audio from over 80 internal TikTok meetings revealed that US user data was repeatedly accessed by ByteDance’s China-based employees. Excerpts from these conversations include “Everything is seen in China”, and “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting”.

How you can protect your privacy

If you’re worried about TikTok or Meta surveilling your online activity using their in-app browsers, your best step is to avoid them entirely. This isn’t as hard as it may sound, because Instagram and Facebook allow you to open apps using your default browser — which you should, every time, regardless of what page you are viewing. 

Even better, you can copy and paste the link from those platforms into your browser directly. If you use a privacy-focused browser(new window) (for example, Firefox or Brave) and Proton VPN(new window), you can prevent your online activity from being recorded.

TikTok makes things more difficult. TikTok doesn’t give you the option to open links in your default browser. To open a website from TikTok in your default browser, you need to:

  • Tap the link and open it in TikTok’s in-app browser.
  • Find another link on the website and long press it in TikTok’s in-app browser. This will bring up the option for you to copy that link or open it in your default browser.

TikTok will still see that you’ve visited the website, but they won’t be able to watch your browsing.

However, the best way to prevent TikTok from abusing your data is to prevent it from collecting it in the first place. While TikTok claims it’s using keylogging solely for debugging and performance monitoring, you have no way of knowing what data it’s collecting on you now — or could collect anytime in the future. We have a guide on how to delete your TikTok if you’re so inclined.

Learn how to delete TikTok and clear your data(new window)

Protect your privacy with Proton
Get a free account

Share this page

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Related articles

The first month of 2023 has brought brutal layoffs from Big Tech, a potential ban of TikTok in the US, and another Twitter breach. But the biggest development of this new year has to be the ascent of ChatGPT.  The chatbot can produce remarkably huma
Hackers were able to steal account details from over 200 million Twitter users and posted the database on a hacking forum in early January 2023. These details include users’ email addresses and Twitter handles, allowing people to potentially identify
From your online shopping receipts to financial statements, your emails contain a great deal of sensitive information about your life, interests, and daily schedule. If you’re concerned about your online privacy, it’s therefore vital to keep your inb
At Proton, we’re committed to building privacy-focused products that are convenient to use and improve your productivity. Last year, we released the new mobile apps for Proton Calendar and Proton Drive, letting you manage your schedule and upload imp
Most email services aren’t secure and limit attachment file sizes, but there are ways to send large files securely. If you’ve ever tried attaching multiple images or video files to an email, you’ll know that it doesn’t always work. We explain ways t
Email wasn’t initially designed to be secure. From spam and phishing attempts to malware, unethical marketers and cybercriminals try to undermine the security and privacy of your inbox every day. Since your inbox stores plenty of sensitive informatio