A security expert has discovered that TikTok’s in-app browser monitors every interaction that the user makes in it. The researcher, Felix Krause, has created a website that acts as a tool to identify the JavaScript commands that are executed by iOS apps.
For those unaware, Android and iOS allow apps to use their own in-app browsers powered by the default browser (Chrome and Safari’s Webkit). This is called WebView, and is usually implemented to allow users to open URLs without switching to another app. But, it’s not always safe to use these in-app browsers.
How to check if an in-app browser is tracking you?
1. Open the app that you want to check.
2. Send the following link in a message to someone (or yourself), or create a post on social media. https://inappbrowser.com/.
3. Tap on the URL, and let the app open it using its in-app browser.
4. It will load the website with a page that will display the details about how the app is tracking you.
The source code of the website is available on the project’s GitHub repo. Here is a chart that tells us how some of the most popular apps fared in the test.
What does the web-app check?
It detects whether an app allows links to be opened in the default browser (in this case, Safari). Interestingly, TikTok does not allow users to open links in a different browser.
The website also detects any changes made to the page by the app, i.e. if it injects JavaScript code. Such changes can be used to track user interactions (taps, input, selection, etc). The site tells you if an app runs a script to fetch metadata. And finally, it also displays the JavaScript that code that it managed to detect.
The biggest offender seems to TikTok’s in-app browser, it tracks every tap (read keystroke) that the user makes in it, like a keylogger. So, it could gather any data, including your passwords, credit card details, etc.
Here are some screenshots that we took after running the tests.
Instagram in-app browser privacy check
Facebook in-app browser privacy tests
Images courtesy: Jay
I checked the Telegram app on my friend’s phone, and it seems to be fine.
What you can do to protect yourself?
It’s quite simple, stop using the in-app browser in apps. Whenever you come across a link, open it in the default web browser instead. If that doesn’t work, you can copy the URL to the clipboard, and paste it in the browser manually. This doesn’t work in all scenarios, for example, TikTok’s in-app browser does not allow you to copy and paste text from it.