TikTok is reading all the keystrokes you enter into its app, even if they’re meant for another site

A researcher who found that Facebook and Instagram are injecting tracking code into web pages that you visit, wrote a follow up report. In that report, the researcher noted the TikTok is able to capture every keystroke that you enter into a third party website viewed through the TikTok app.

This means if you open a non-TikTok webpage in the TikTok app, it can read important information like your login information to third-party sites or credit card information. For example, if you login to your Google account or work account through a link inside of the TikTok app, they could theoretically obtain your credentials.

While there is no evidence that TikTok actually collects information like this, and TikTok says they do not collect information from non-TikTok websites opened through their app, there is nothing stopping the app from doing this in the future. TikTok is owned by China-based ByteDance.

Watch what you install

Important to note in all these situations: any app you install on your phone is capable of reading whatever data you enter into it, intentionally or unintentionally.

A good rule: if you aren’t comfortable with a specific company or app potentially reading your passwords to other sites or credit card data, don’t enter your data through these apps. Use the default browser on your phone instead.

More importantly, don’t install apps from a source you do not trust generally. The walled gardens of the Google and Apple stores make it appear that apps are curated, but realistically, the most you can hope for is an automated check that the an app isn’t doing anything nefarious. There are far too many apps for these companies to manually review each one looking for advanced or subtle malware.

How can I check an app

All hope isn’t lost. You can try to check whether an app is collecting information about third party sites that you visit.

The researcher wrote a web page, inappbrowser.com, that will show you if an app is injecting scripts into websites you visit through an app. However, in order to navigate to this site, you need to get the app to open the page. The quickest way to do this is to use a DM or posting functionality in the app to put a link to that site within the app in question.

Even if the site comes back clean, on iOS, there is a possibility that it is still injecting code. Unfortunately, there’s nothing you can do to be 100% sure that an app is safe. You just need to make sure that you trust the source of the app. If you don’t trust the source of the app, you should probably delete it—or be very careful what information you enter into it.

Jerry Galvin has over 16 years of experience in engineering and cybersecurity operations. He currently specializes in vulnerability management.