Sometimes apps use in-app browsers to prevent people from visiting malicious websites or to make web browsing easier with autocomplete. But while Facebook and Instagram can use in-app browsers to track data such as which websites a person has visited, what they’ve highlighted and what buttons they’ve pressed on the site, TikTok is taking it a step further with code that can track every user character entered. Krause said.
A spokesperson for Meta, the parent company of Facebook and Instagram, declined to comment.
Mr. Krause said that TikTok’s research was limited to Apple’s iOS, noting that keystrokes would only be tracked in the app’s browser.
Like most apps, TikTok gives people few opportunities to click away from its service. Instead of being redirected to mobile web browsers like Safari or Chrome, when users click on ads or links embedded in other users’ profiles, the browser appears in the app. This is often when people enter basic information such as credit card details or passwords.
in CNN interview In July, TikTok’s chief policy officer, Michael Beckerman, denied that the company logs users’ keystrokes, but acknowledged that it monitors their patterns, such as how often they type, to protect against fraud.
Mr. Krause said he feared those tools had a “very similar structure” and could be reused to track the content of keystrokes.
“The problem is they have the infrastructure to do these jobs,” he said.