ProtonBlog(new window)

How TikTok’s in-app browser threatens your privacy

Share this page

TikTok’s in-app browser can track every button or link you tap and every keystroke you type, according to an iOS Privacy review article(new window) from tech privacy researcher Felix Krause. This goes beyond the standard data collection we’ve sadly come to expect from social media apps in this age of surveillance capitalism. The idea that one of the largest social media platforms in the world has the capacity to monitor and record every single thing you type is shocking. 

You should avoid in-app browsers

Pervasive tracking is unfortunately standard in many in-app browsers. In an earlier review of Facebook and Instagram in-app iOS browsers(new window), Mr. Krause discovered that they insert JavaScript code into the websites you visit, allowing them to create commands that alert it to all of your activity. Using this injected code, these browsers can track “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers”, according to Mr. Krause. However, these apps at least let you open links using your default browser.

TikTok’s in-app browser goes even further. It inserts JavasScript code to track all your interactions with a website, just like Facebook and Instagram, but it can also track your individual keystrokes. And unlike Instagram and Facebook, TikTok doesn’t give you the option to open links using your default browser. If you follow a link in TikTok, you must use its in-app browser (or copy the link and paste it into your default browser).

What does TikTok say about its keylogging?

TikTok confirmed that the features Mr. Krause found exist but said they do not actively monitor or record user activity or keystrokes.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes”, said TikTok’s spokesperson Maureen Shanahan in a statement to Forbes(new window).

Essentially, TikTok is admitting that it can track all your activity and keystrokes anytime it wants — it simply has chosen not to, and it’s asking us to trust that it won’t.

TikTok’s privacy problems

TikTok’s record doesn’t indicate that it has earned this level of trust. The discovery of keylogging is the latest in a series of privacy-related scandals that have plagued TikTok, the first Chinese social media platform to be used globally. 

All of these scandals spring from TikTok’s two core issues with privacy: 

  • It collects vast amounts of data.
  • it can be forced to share that data with the Chinese government on a whim. 

TikTok’s data overreach

The idea of a service’s in-app browser containing malware-like keyloggers might be shocking, but not if you read through TikTok’s US privacy policy(new window). Under “Information We Collect Automatically”, not only does it explicitly state that it can collect “keystroke patterns or rhythms”, it also includes: 

  • Your age range, gender, and interests — data TikTok infers “based on the information we have about you”
  • Your device’s IP address
  • Your search history on the platform
  • Your mobile carrier
  • Your device ID
  • Your connected audio devices
  • Your device’s operating system
  • Your time zone settings
  • The names and types of the files stored on your device

The US privacy policy also states that it “may also associate you with information collected from devices other than those you use to log-in to [TikTok]”. In other words, TikTok reserves the right to monitor information on devices it can tie to you even if you don’t use TikTok on that device. This is only a portion of the data the platform collects, but it is emblematic of the company’s drastic data surveillance overreach.

TikTok has already faced legal battles over its reckless approach to data collection. In 2021, the company agreed to a $92 million settlement(new window) to resolve a class-action lawsuit that alleged it collected data from 89 million US citizens, including minors, without their consent. This information was then shared with third parties, some of which were based in China. 

The Chinese government’s access to data

As we discussed in our previous article on TikTok(new window), TikTok is owned by ByteDance, a multi-billion dollar company based in China. Under China’s 2017 National Intelligence Law(new window), the Chinese government can compel any Chinese company to share any information it has on its users. 

In response to concern from Washington, TikTok began storing its US users’ information in data centers located in the US in 2021, hypothetically putting it outside the reach of the Chinese Communist Party. Dubbed “Project Texas(new window)”, it was ByteDance’s attempt to reassure US regulators that it takes data privacy seriously. 

In June 2022, however, BuzzFeed(new window) reported that leaked audio from over 80 internal TikTok meetings revealed that US user data was repeatedly accessed by ByteDance’s China-based employees. Excerpts from these conversations include “Everything is seen in China”, and “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting”.

How you can protect your privacy

If you’re worried about TikTok or Meta surveilling your online activity using their in-app browsers, your best step is to avoid them entirely. This isn’t as hard as it may sound, because Instagram and Facebook allow you to open apps using your default browser — which you should, every time, regardless of what page you are viewing. 

Even better, you can copy and paste the link from those platforms into your browser directly. If you use a privacy-focused browser(new window) (for example, Firefox or Brave) and Proton VPN(new window), you can prevent your online activity from being recorded.

TikTok makes things more difficult. TikTok doesn’t give you the option to open links in your default browser. To open a website from TikTok in your default browser, you need to:

  • Tap the link and open it in TikTok’s in-app browser.
  • Find another link on the website and long press it in TikTok’s in-app browser. This will bring up the option for you to copy that link or open it in your default browser.

TikTok will still see that you’ve visited the website, but they won’t be able to watch your browsing.

However, the best way to prevent TikTok from abusing your data is to prevent it from collecting it in the first place. While TikTok claims it’s using keylogging solely for debugging and performance monitoring, you have no way of knowing what data it’s collecting on you now — or could collect anytime in the future. We have a guide on how to delete your TikTok if you’re so inclined.

Learn how to delete TikTok and clear your data(new window)

Protect your privacy with Proton
Create a free account

Share this page

Richie Koch(new window)

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Related articles

What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be