Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Privacy Technology

TikTok's In-App Browser Could Be Keylogging, Privacy Analysis Warns (techcrunch.com) 16

Posted by msmash from the closer-look dept.
An anonymous reader shares a report: 'Beware in-app browsers' is a good rule of thumb for any privacy conscious mobile app user -- given the potential for an app to leverage its hold on user attention to snoop on what you're looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok's in-app browser after independent privacy research by developer Felix Krause found the social network's iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging.

"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data," warns Krause in a blog post detailing the findings. "We can't know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites." [emphasis his]

After publishing a report last week -- focused on the potential for Meta's Facebook and Instagram iOS apps to track users of their in-app browsers -- Krause followed up by launching a tool, called InAppBrowser.com, that lets mobile app users get details of code that's being injected by in-app browsers by listing JavaScript commands executed by the app as it renders the page. (NB: He warns the tool does not necessarily list all JavaScript commands executed nor can it pick up tracking an app might be doing using native code -- so at best it's offering a glimpse of potentially sketchy activities.)
This discussion has been archived. No new comments can be posted.

TikTok's In-App Browser Could Be Keylogging, Privacy Analysis Warns More

TikTok's In-App Browser Could Be Keylogging, Privacy Analysis Warns

Comments Filter:

  • Am I understanding this correctly that a web page can link to a page on a different domain and still have javascript from the previous page running? that sounds like a really bad thing to allow?

    kind of like a cross-site scripting attack? (which mot browsers block)

    • Re: why is this even allowed? (Score:4, Interesting)

      by Wattos ( 2268108 ) on Friday August 19, 2022 @04:26PM (#62804845)

      It's not allowed in regular browsers.

      What is happening here is that the Web page is opened from within the TikTok app with a Web view screen instead of your actual browser. Since the TikTok app has full control over the Web view, it injects Javascript into every page.

      Note, there are legitimate use cases to do exactly that (e.g. Hybrid apps, providing a native Web bridge, etc...).

      • Re: (Score:2)

        by v1 ( 525388 )

        Then that seems like something that the devie should pop up a notice telling the user what the app is trying to do and either allow or deny it?

        Like when flashlight asks for access to your address book ;) uuuhhh.. no?

        • Which would be pointless due to permission fatigue. We already have this problem on Android for every little thing a native app tries to do both at install time and run time. Now imagine how often it would pop up for a regular web browser. Given that they all try to act as a replacement for the OS itself. (Or at the very least any GUI and security framework that the OS provides.)

          The simple truth is: Never put into an app what you don't want it's creators to sell to the highest bidder.

          Personally, I don't

          • Re: (Score:2)

            by v1 ( 525388 )

            Which would be pointless due to permission fatigue.

            being a per-app thing, it should save the user's selection when they allow or deny on the first popup for the app. The user may get several popup in a row for the different things the app is trying to access, but then never again.

            • Which won't work for a web browser, as that pop up would need to be per site not per browser. I might want my-domain.com to have access to my calendar, but I don't want panopticon.gov to have access to it. Poping up the prompt once does nothing if I have to constantly dive down multiple menus deep into the damn browser to change that for every site I visit. And that's just begging to be abused by social engineering groups.

  • I visited InAppBrowser.com from my desktop, it detected browser plugins injecting code. Though it showed me what it found and I wasn't concerned.

  • Isn't Oracle meant to be reviewing the security of TikTok? Why have they let this pass?

    Or was the whole exercise always meant to be just for show?

  • Why would a Chinese-state controlled social media application that has 318 million downloads and requires extensive permissions on a phone, including your all-important contact list, and which is closed-source, POSSIBLY want to keylog? This is conspiracy theory five-times debunked do-not-question banned-from-Reddit tinfoil hat territory.

  • ...iOS' & Android's security & privacy is a dumpster fire. They're OS' designed for the advertising industry. What else does anyone expect?
  • They do not honor email unsubscribe requests.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close