TikTok may be tracking the activity of users who leave its platform and go to third-party apps.
The video app allegedly tracks all keyboard inputs within TikTok’s “in-app browser” through a piece of extra code that the app puts into third-party websites, according to research released by security analysts. These new details arrived a week after the analysts revealed that Facebook was tracking all activity occurring within its internal browser.
“[The TikTok app on Apple devices] subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app,” wrote researcher Felix Krause in a Thursday blog post. This means the app tracks every button push a user does while using the in-app browser, including passwords and credit card information.
Krause revealed last week that Meta injected code into websites viewed via an in-app browser installed within Facebook and Instagram. A Meta spokesperson told the Guardian that “we intentionally developed this code to honor people’s [ask to track] choices on our platforms.”
“For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill,” said the company’s spokesperson.
Other tech companies denounce this sort of “cross-host tracking.” Apple has actively worked against this sort of tracking and incorporated an update in iOS 14.5 that required apps to get permission before tracking their data across apps operated by other companies. This sort of code is also being phased out by standard browsers such as Google Chrome and Mozilla Firefox. It’s unclear when Meta or TikTok began injecting code into their in-app browsers.
TikTok has been the focus of national security officials for several months. Congress has sent multiple letters to TikTok’s CEO asking for details about whether Chinese employees had access to data from users based in the United States. The company confirmed that Chinese employees can access the data, but they’re required to do so through a series of security measures. The company is moving all U.S. user data to servers operated by the cloud server company Oracle. Oracle is also in the process of reviewing the app’s algorithms to ensure there is no Chinese manipulation.
A February study found that TikTok tracks more about its users than other social apps because it allows third-party trackers additional access to user data.