TikTok denies allegations of scrapping users’ personal data
The popular short video platform TikTok denied claims to "scratch" its users' personal data, including passwords, identifiers, and other sensitive data thanks to its in-app browser.
Felix Krause, who is a developer, claimed that the TikTok iOS app contains a code that lets the company monitor “all keystrokes, including passwords, and all taps.”
The developer who had previously worked with Twitter and Google discovered privacy and security issues in the past, Vice’s motherboard reported.
Turning to his Twitter and blog post, the developer wrote that the TikTok iPhone app opens an in-app browser when a link in the app is opened.
He wrote that the app “injects tracking code” which is able to monitor all text inputs, including “passwords, and all taps” because of certain JavaScript code built into the application, including those on third-party websites within TikTok itself.
His findings were echoed on the websites of several media outlets, making this a shocking revelation. However, Krause limited his own conclusions by adding that it is unclear what the video-manufacturing application uses subscriptions for.
“This is the equivalent of setting up a keylogger on third-party websites,” he wrote, citing his point of view from a technical point of view.
During an online chat, Krause also said that his report “does not say TikTok is effectively recording and using these data.”
The developer said that he talked about how TikTok inserts JavaScript using theirs in the application’s browser which has the code set to track text entries on third-party websites.
“I emphasized that I can’t talk about if and how the system is actually being used,” he said during the discussion.
TikTok, however, strongly denied this claim. The spokesman for the video-sharing platform called the report “deceptive and incorrect”.
According to the researcher, JavaScript does not mean that our application is malicious and admits they have no way to know what kind of data our in-app browser collects,” the application spokesman wrote, adding applications do not allow us to collect “typing or text entries” via this code, contrary to the statements in the report.
TikTok also wrote that the code is used solely for “debugging, troubleshooting and performance monitoring”.
The application uses a browser in the application like any other application and refused to log keystrokes.
Zach Edwards, an independent researcher in the area of privacy and cybersecurity, also analyzed the code used by the iOS app of the video sharing company.
He warned against Krause’s conclusions by calling them “nondefinitive”. He, however, agreed that JavaScript in the app “could scratch” the typed information in the app.
He said that tracking the type of data the application sends to its servers is the only way to confirm whether an application actually scrapes forms like password form fields.
“Felix makes TikTok look worse than they are – which is unfortunate because they’re pretty bad,” Edwards said.
Edwards, however, found browsers in-app to be “extremely dangerous” because they allow the application to scrape sensitive data. For this reason, he believes that Google and Apple should allow users to disable the feature.