ProtonBlog(new window)

How TikTok’s in-app browser threatens your privacy

Compartir esta página

TikTok’s in-app browser can track every button or link you tap and every keystroke you type, according to an iOS Privacy review article(new window) from tech privacy researcher Felix Krause. This goes beyond the standard data collection we’ve sadly come to expect from social media apps in this age of surveillance capitalism. The idea that one of the largest social media platforms in the world has the capacity to monitor and record every single thing you type is shocking. 

You should avoid in-app browsers

Pervasive tracking is unfortunately standard in many in-app browsers. In an earlier review of Facebook and Instagram in-app iOS browsers(new window), Mr. Krause discovered that they insert JavaScript code into the websites you visit, allowing them to create commands that alert it to all of your activity. Using this injected code, these browsers can track “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers”, according to Mr. Krause. However, these apps at least let you open links using your default browser.

TikTok’s in-app browser goes even further. It inserts JavasScript code to track all your interactions with a website, just like Facebook and Instagram, but it can also track your individual keystrokes. And unlike Instagram and Facebook, TikTok doesn’t give you the option to open links using your default browser. If you follow a link in TikTok, you must use its in-app browser (or copy the link and paste it into your default browser).

What does TikTok say about its keylogging?

TikTok confirmed that the features Mr. Krause found exist but said they do not actively monitor or record user activity or keystrokes.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes”, said TikTok’s spokesperson Maureen Shanahan in a statement to Forbes(new window).

Essentially, TikTok is admitting that it can track all your activity and keystrokes anytime it wants — it simply has chosen not to, and it’s asking us to trust that it won’t.

TikTok’s privacy problems

TikTok’s record doesn’t indicate that it has earned this level of trust. The discovery of keylogging is the latest in a series of privacy-related scandals that have plagued TikTok, the first Chinese social media platform to be used globally. 

All of these scandals spring from TikTok’s two core issues with privacy: 

  • It collects vast amounts of data.
  • it can be forced to share that data with the Chinese government on a whim. 

TikTok’s data overreach

The idea of a service’s in-app browser containing malware-like keyloggers might be shocking, but not if you read through TikTok’s US privacy policy(new window). Under “Information We Collect Automatically”, not only does it explicitly state that it can collect “keystroke patterns or rhythms”, it also includes: 

  • Your age range, gender, and interests — data TikTok infers “based on the information we have about you”
  • Your device’s IP address
  • Your search history on the platform
  • Your mobile carrier
  • Your device ID
  • Your connected audio devices
  • Your device’s operating system
  • Your time zone settings
  • The names and types of the files stored on your device

The US privacy policy also states that it “may also associate you with information collected from devices other than those you use to log-in to [TikTok]”. In other words, TikTok reserves the right to monitor information on devices it can tie to you even if you don’t use TikTok on that device. This is only a portion of the data the platform collects, but it is emblematic of the company’s drastic data surveillance overreach.

TikTok has already faced legal battles over its reckless approach to data collection. In 2021, the company agreed to a $92 million settlement(new window) to resolve a class-action lawsuit that alleged it collected data from 89 million US citizens, including minors, without their consent. This information was then shared with third parties, some of which were based in China. 

The Chinese government’s access to data

As we discussed in our previous article on TikTok(new window), TikTok is owned by ByteDance, a multi-billion dollar company based in China. Under China’s 2017 National Intelligence Law(new window), the Chinese government can compel any Chinese company to share any information it has on its users. 

In response to concern from Washington, TikTok began storing its US users’ information in data centers located in the US in 2021, hypothetically putting it outside the reach of the Chinese Communist Party. Dubbed “Project Texas(new window)”, it was ByteDance’s attempt to reassure US regulators that it takes data privacy seriously. 

In June 2022, however, BuzzFeed(new window) reported that leaked audio from over 80 internal TikTok meetings revealed that US user data was repeatedly accessed by ByteDance’s China-based employees. Excerpts from these conversations include “Everything is seen in China”, and “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting”.

How you can protect your privacy

If you’re worried about TikTok or Meta surveilling your online activity using their in-app browsers, your best step is to avoid them entirely. This isn’t as hard as it may sound, because Instagram and Facebook allow you to open apps using your default browser — which you should, every time, regardless of what page you are viewing. 

Even better, you can copy and paste the link from those platforms into your browser directly. If you use a privacy-focused browser(new window) (for example, Firefox or Brave) and Proton VPN(new window), you can prevent your online activity from being recorded.

TikTok makes things more difficult. TikTok doesn’t give you the option to open links in your default browser. To open a website from TikTok in your default browser, you need to:

  • Tap the link and open it in TikTok’s in-app browser.
  • Find another link on the website and long press it in TikTok’s in-app browser. This will bring up the option for you to copy that link or open it in your default browser.

TikTok will still see that you’ve visited the website, but they won’t be able to watch your browsing.

However, the best way to prevent TikTok from abusing your data is to prevent it from collecting it in the first place. While TikTok claims it’s using keylogging solely for debugging and performance monitoring, you have no way of knowing what data it’s collecting on you now — or could collect anytime in the future. We have a guide on how to delete your TikTok if you’re so inclined.

Learn how to delete TikTok and clear your data(new window)

Proteja su privacidad con Proton
Crear una cuenta gratuita

Compartir esta página

Richie Koch(new window)

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Artículos relacionados

Can you password-protect a folder in Google Drive?
en
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
en
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
en
  • Lo básico sobre privacidad
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
en
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
en
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
en
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
en
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail