A Recent Privacy Risk That All TikTok Users Must Be Aware Of

I believe it doesn’t sound offensive when I say that social media users of which I am one have become so careless and carefree in recent times. Reason being that they are only concerned in the users’ experience they get on the surface, their satisfaction doesn’t go beyond the pictures  they post, the online videos they make and the subsequent likes, dislikes ,emojis and comments they get on these social media platforms.

But beyond that, what really happens in the background? what other unnecessary advantages do such platforms take off their users leveraging their degree of ignorance plus their lack of awareness.

This blog is aimed at informing you of a recent development in TikTok and other apps that you have been making use of and why you might have a reason to worry and be more cautious when on some of these platforms.

Please don’t forget to drop a comment and share this article if you find it educative and eye-opening.

TikTok the popular video sharing app which has millions of users across the continents embedded a JavaScript code in their in-app browser. This code has the ability of monitoring what you do on external websites. That is, when you click a link on the TikTok platform, to access the link, TikTok doesn’t redirect you to your default browser say chrome, safari or Opera. Rather what TikTok does is to open the external link with their made browser (in-app browser). But be careful that’s just one side of the coin.

The other side being more fearful is that using the line of programming JavaScript language code, TikTok can be able to track down every activity and every move you’re making on external web pages; this includes also your keystroke.

Let’s pull up a scenario where you decide to make a payment on the link you opened, this implies that the newly modified code has the propensity of alerting TikTok of your credit card details, your age, your darkest secrets that you didn’t want to be out there in the open even monitors when you highlight text on websites. More annoyingly, your keystroke is being monitored. If you type in a password which most times is hidden, this injected line of programming code monitors your keypad to see the exact alphabets, numbers, symbols and your password combination in general, when you clear and make change to the password or any input, TikTok by virtue of their code will capture all. Like I said now you have a good reason to worry.

Basically what TikTok does is when users click on any external website or ad, TikTok doesn’t open that link immediately, instead they first inject lines of the JavaScript language into the web page the user is visiting, these lines hence creating commands for whatsoever the people are up to on those sites.

Felix Krause who first made this discovery is a software private researcher based in Vienna; he was a former Engineer at the Tech giant company Google and also the founder of Fastlane, this service is used for app testing and deploying but was acquired by Google over five years ago.

Felix Krause carried out a private research on in-app browsers and his focus was on the big name social media companies which had the inclusion of Meta owned Whatsapp and Facebook, Instagram, Snapchat, TikTok, Amazon and Robinhood.

After his test, he was able to discover that while some of these apps were faulted in having the capacity of monitoring users’ activities on external pages, only TikTok appeared to monitor users’ keystroke which he saw as strange hence the question as to why TikTok should be monitoring more activities than all other counterpart platforms. Felix Krause suggested that this was not just a random or coincidental action by the company but rather a conscientious ploy by TikTok although he couldn’t state exactly their major motive.  Krause in an attempt to remedy this effect released a tool that will allow people check whether a browser they are making use of injects any new codes into websites and same time check the activities such company may be monitoring. To use the tool, just send the link InAppBrowser.com to a friend in direct message or have a friend send you the link. If the link is clicked on, the tool will give a rundown of what the app is monitoring. Unfortunately, this tool has a limitation being that the terms decoded are still shown in programming terms and a layman can’t make any meaning out of it.

In their defense, TikTok didn’t try to deny the existence of such a code, they agreed that such lines do exist in their in-app browser but not to maliciously compromise the privacy of their esteemed users, the codes according to TikTok’s representative Maureen Shanahan are intended for such actions which include debugging, troubleshooting, checking the speed of opening pages, page crashes and also monitoring user experience on external sites.

TikTok further explained that  the supposed javaScript code is nothing but a third-party SDK (Software Development Kit ), that is a set of tools which finds usage in app building and maintenance, although TikTok refused to answer the all crucial question about the third party.

This research carried out by the twenty eight year old Felix Krause pose a tendency of raising questions for TikTok in several countries, government officials might show concern on whether the popular app TikTok is sharing information about their citizens with China since it is a Chinese based company.

Debate has been raised by countries like the United States which is probably at present not the best friend to the Chinese Government, this debate focused on the capacity of this shared information in endangering United State National Security, this potential tracking if not checked can compromise privacy in even election integrity.

TikTok kept on pushing back these trailing attacks claiming that their company still clings to their mandate of holding privacy as one of their initiatives “for any action that requires a user to share information, such as registering to vote, users will be directed away from TikTok onto the website for the state or relevant non -profit in order to carry out the process” the company mentioned in their official blog post “TikTok will not have access to any of that off-platform data or activity, contrary to the report’s claims, we do not collect keystroke or text inputs through this code”.

Reacting to this sudden discovery, another independent software engineer and security researcher who doubles in studying apps for new features Jane Manchun stated that “Based on Krause’s findings, the way TikTok’s custom in-app browser monitors keystrokes is problematic, as the user might enter their sensitive data such as login credentials on external websites”. Jane Manchun also went on to say that this In-app browser of TikTok could “extract information from the user’s external browsing sessions, which users find overreaching”.

Jennifer King who is another privacy and data policy fellow at the Stanford University Institute for Human Centered Artificial Intelligence also lent her voice “It’s very sneaky, the assumption that your data is being pre-read before you even submit it I think that crosses the line”

It’s not something most of us are not aware of that the majority of big Tech companies use their in-app browsers to open external websites and making use of it they amass data to enhance their targeted advertising machines, so you shouldn’t be surprised about this tracking by the in-app browser. But one criterion that should have been considered before embedding such codes should be making people aware of such in their privacy terms so that users will use such platforms at their own risk.

Let us state this for factual purposes, scooping information on what people type on their phones while they visit external websites, which have the ability of revealing their credit card numbers and passwords, is often times used as a feature in malware and some other hacking tools. Most of the big tech companies make use of these trackers when they want to engage on new software testing, but for a commercial app and one as popular as TikTok to embed such a feature though they claimed it is not enabled still raises suspicion.

Though there exists an option for users to open the external links using their default browser (Chrome or Safari) but this option is not even known by many to be in existence and moreover the TikTok platform will still take you to its in-app browser first. Felix Krause in his suggestion said that the best thing to do now is that TikTok industry should offer people the option of accessing links through their phone’s default browser only. Well, the suggestion has been made but it is up to the ByteDance Company TikTok to buy the suggestion or not hence continue defending that they still uphold privacy despite the discovery.

I thought of ending this post with an advice on your TikTok usage but I believe at this point you will be wise enough to know not to put delicate information when you access an external webpage through your TikTok account, if you have a link you want to access and there is a chance that you will input confidential texts. upload confidential documents, make transactions or type in login details that should only be known to you, the best option should be to copy the link and then paste it on your default browser, I guess by doing that, you must have saved yourself a whole lot of uncertainties which may or may not arise in the nearest future.

The writer wishes to get a feedback from you regarding the above article so feel very free to drop a comment in the comment section or share this article.