New independent research has revealed a range of invasive tracking capabilities in popular apps such as TikTok, Instagram and FB Messenger.
As well as potentially tracking sensitive information like usernames, passwords and credit card details, the research discovered an ability within numerous popular apps to access users' scrolling behaviour, screen taps, and even keyboard inputs.
These findings arrived in a report published by security expert Felix Krause, the founder of app automation platform, fastlane, whose research has generated major media attention since its early August release.
Krause initially reported iOS Instagram and Facebook apps are able to "track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap."
One week later, he followed this up with a blog post that expanded on his results by demonstrating the differing data-tracking potential between popular apps, showcasing TikTok to have particularly alarming practices.
So how does it work?
If you use apps such as TikTok or Instagram, you may have noticed clicking links within these apps does not redirect to Safari, Chrome, or other third-party browsers, but rather, loads the requested web page directly in the app.
For example, links clicked within TikTok, such as ads or websites listed in creator profiles, display web pages using the TikTok app directly rather than your phone's default browser of choice.
This is a function of "in-app browsers", which are custom-built features provided within apps to access websites directly via their platform.
Being custom built, however, enables custom functions, one of which Krause notes as the regularly-used and highly-problematic capability to inject varying JavaScript code into third party websites accessed via these in-app browsers.
In the case of TikTok, this could enable the app to essentially behave as a keylogger, and monitor all keystrokes made by the user.
Keyloggers are often synonymous with cybercriminal activity, and are particularly alarming in the context of web browsing, given the high likelihood of users performing online transactions and account logins.
"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data," Krause said.
"We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third-party websites," he added.
Krause stressed that his publication was not claiming TikTok is actively using the browsing data of its users for analytics or other purposes, but nonetheless, he has claimed proof of "a system in place that is able to track all your keystrokes" on external websites.
Is TikTok the worst offender?
In reference to the alleged keystroke tracking capabilities, Krause stated "according to TikTok, it's disabled at the moment."
However, TikTok's claims haven't always been consistent with its actions.
When recently appearing before a parliamentary committee, TikTok seemingly neglected to mention China's legal capability to access user data, and conversely provided evidence which assured Parliament that the data of Australian users on its platform was safe.
It was only months later, thanks to a whistleblower incident, that more of the truth surrounding TikTok's data sharing practices came to light.
Furthermore, TikTok seems to be particularly insistent on shepherding users towards its in-app browser.
Instagram, for example, will default to using its in-app browser, but also provides a fairly accessible option via the three-dotted button on the top right corner to use a default browser instead.
TikTok, however, does not display a similar option for off-app browsing, leaving users to either copy and paste a provided website link into their default browser manually, or continue using TikTok's in-app browser.
Bring on the bans
Before this research, it was commonly accepted that in-app browsers existed for the simple purpose of retaining user attention within the host app.
However, these latest findings indicate in addition to retaining the users' attention span, in-app browsers may provide app providers with a range of excessive tracking capabilities and incentives.
The ethics and necessity of these alleged data tracking capabilities are questionable to say the least, and to make matters worse, Krause suggests the controversial JavaScript code used by in-app browsers will soon be harder to track.
Since iOS 14.3 released, Apple supports the running of JavaScript code in a specified "content world", which can essentially separate an app's web environment from the environment of individual webpages.
This effectively enables apps to hide JavaScript commands executed on third-party websites, and if implemented by apps such as TikTok and Instagram, could make it much more difficult for researchers to detect tracking activity in the future.
Given the questionable nature of in-app browsers and the increasing capability to hide their JavaScript activity, Krause declared, "I believe that Apple and Google should, and will, start banning in-app browsers."
