Researcher Says TikTok Can Track User Data via Keystrokes

Popular short-form video platform TikTok is garnering more unwanted attention, this time for tracking users’ keystrokes via a the ByteDance-owned video app’s browser. The feature was discovered by privacy researcher Felix Krause, a former Google engineer, who reported the Chinese company embeds the tracking capability within the in-app browser that opens when someone clicks an external link. Krause noted his research is limited to the Apple iOS platform. Krause did not speculate as to how TikTok is using the capability, but suggests he finds it troubling because it indicates TikTok is able to track users’ online activity if it so chooses.

“Collecting information on what people type on their phones while visiting outside websites, which can reveal credit card numbers and passwords, is often a feature of malware and other hacking tools,” The New York Times writes, noting that it is uncommon for major technology companies to release a commercial app with such a feature, although occasionally such trackers are used in testing new software.

“Based on Krause’s findings, the way TikTok’s custom in-app browser monitors keystrokes is problematic, as the user might enter their sensitive data such as login credentials on external websites,” independent software engineer and security researcher Jane Manchun Wong told NYT.

On his blog, Krause details how other social apps, including Facebook and Snapchat, use variations of the same technique, though according to his research TikTok is the only app that doesn’t allow users the option of clicking away to their own default browsers.

“While Facebook and Instagram can use in-app browsers to track data like what sites a person visited, what they highlighted and which buttons they pressed on a website, TikTok goes further by using code that can track each character entered by users,” NYT writes.

In a statement to Forbes, TikTok described Krause’s report as “incorrect and misleading” and said the feature to which he referred was used for “debugging, troubleshooting” and general performance monitoring. “Contrary to the report’s claims, we do not collect keystroke or text inputs through this code,” TikTok told Forbes.

Krause said he couldn’t tell whether TikTok or ByteDance was actively retaining the keystroke data. “The research could raise questions for TikTok in the United States, where government officials have scrutinized whether the popular app could endanger U.S. national security by sharing information about Americans with China,” NYT reports.

Earlier this summer, FCC commissioner Brendan Carr sent a joint letter to Apple CEO Tim Cook and Alphabet and Google CEO Sundar Pichai asking them to pull TikTok from their app stores due to privacy concerns and Chinese access to U.S. consumer data.

TikTok responded with a letter of its own, from CEO Shou Zi Chew (who is also CFO of ByteDance) saying the company is doing all it can to “remove any doubt about the security of U.S. user data.”