How TikTok spies on you on iOS?

After Facebook and Instagram, it’s TikTok’s turn to hit Felix Krause’s grill.

After Meta, it’s now TikTok’s turn to go under Felix Krause’s microscope. The founder of Fastlane, an open source tool that facilitates application development on iOS and Android, looked at the case of the Chinese application. It is not much more glorious than its elders, who were pinned at the beginning of the week. Again, it was the integrated web browser that particularly interested him.

On social networks, many external links are offered. In the case of advertising, for example, they allow direct access to the advertiser’s site. Most often, the page opens directly from the application. For the user, it is the promise of a smoother experience, but it is not without risks. The social network takes the opportunity to recover some information in passing.

In order to display ever more targeted advertisements, TikTok adds lines of Javascript code to sites visited on iOS. The goal: to know what you are doing on the Internet to show you products that you have already seen or that catch your eye. Facebook, Instagram and TikTok all use this process, except that in the case of TikTok it goes a little further than that. The app can also know everything you type on your precious Apple smartphones.

TikTok has access to your passwords

Felix Krause, in his study published by Forbes, details the process used. Concretely, the code integrated by TikTok can follow all your movements on the web. It is also able to have access to your passwords and identifiers. It does this by watching everything you type on your iPhone’s keyboard. Krause details: “from a technical point of view, this is equivalent to installing a keylogger on third-party websites.”

He adds instead: “Just because an app injects JavaScript into an external website doesn’t mean it’s doing anything malicious.” However, it is a very conscious choice according to him. “It’s not a coincidence or a mistake. It is a choice of the company.”

Felix Krause moderates nevertheless, because if these applications inject a code able to track the movements of the users, nothing indicates that they use them to collect the data on its servers or to sell them to a third party. The developer also does not say whether this data is somehow linked to users. Facebook had, for example, confirmed to Phonandroid that the collection process was anonymous on its side.

This is also the axis of defense of TikTok, which justifies their presence by a simple debugging option. “Like other platforms, we use this embedded web browser to optimize the user experience, but the Javascript code in question is only used for troubleshooting and performance monitoring. This is what allows us, for example, to check the loading speed of a page or if it is blocking” company spokeswoman Maureen Shanahan said in a statement.

What actions to take?

To protect your sensitive data, Felix Krause gives some tips. It invites Internet users to open this link when they are on the application in question. For example, you can send it to friends via DM. Then, you will be able to consult the report in English. Otherwise, it will in all cases avoid opening a link directly in the application.

Most applications also offer to do so in their default browser. All except TikTok which does not allow you to go through Safari or Chrome, to name a few. In this case, it would be better to copy the link and then paste it manually into your favorite browser.

Leave a Comment