top of page
  • Writer's pictureORNA

An APP That Spies On Me

Privacy is prominently at the forefront of everything we do or interact with web related. If it's not, then we have a problem. After all, the privacy debate itself has prevailed for the past twenty years, and it will certainly continue.

One need not revisit the largest penalty in history imposed against Facebook by the Federal Trade Commission (FTC) when the social media giant violated the privacy of its consumers to the tune of a $5 billion fine.

So, what keeps TikTok afloat after the latest revelations of privacy concerns, when security researcher Felix Krause discovered an in-app browser Javascript injection that captures keystrokes inputted by users, allowing it to monitor a user's browsing habits? I’m not talking about HTTP cookies. I’m talking explicitly about full-fledged spying on the user, in the same way as a threat actor.

Imagine this scenario for just a moment. If I coded a completely functional app that delivers a service, and it passes the vetting process and in turn, gets featured in the user’s app store, then it is considered completely legitimate and non-malicious - until the latter is established, of course.

But can this be the perfect “trojan horse” for threat actors and competing nations? Actually, yes. It’s already a big problem, largely in the form of crypto wallet app scams, fully functional apps, disguised as trustworthy and available for download on the Google Play Store and Apple Store.

Though TikTok is not a scam, do full keystroke monitoring capabilities make the app less or more of a threat to privacy? This is a Terms of Service problem because users were not made aware of the monitoring.

Again, if I coded a legitimate app, but included a secret ability to monitor all your keystrokes… Wait a minute. I used to do that, minus the coding part! Users used to download my warez all the time over Peer-to-Peer networks.

I hosted legitimate programs, secretly injected with logging capabilities so I could capture their keystrokes, in addition to some other things, but we won’t go there. Heads would roll if I was doing this today. But that is precisely what TikTok is doing. Krause explained that the injection is deliberate and not by accident, or by a bug in the app--

“This was an active choice the company made,” he said. “This is a non-trivial engineering task. This does not happen by mistake or randomly.”

Krause is the founder of Fastlane, which was purchased by Google in 2017. The company offers a service for testing and deploying apps.

The attack begins when TikTok users navigate to a website through a link on the app. Once this condition is met, the app then inserts the illicit code, allowing TikTok to observe virtually everything the user types, interacts with, or visits within the browser, such as outside websites. This includes credentials, credit card data - everything.

The injection creates subtle modifications to websites browsed by the user, from the in-app browser built into the app. Therefore, when users interact with TikTok ads or follow links published on a creator’s profile, the in-app browser rewrites portions of webpages by injecting the JavaScript, which then creates new commands that signal TikTok what users interacting with or viewing in the sites browsed.

This is possible since the app doesn’t open pages with traditional browsers, such as Chrome or Safari.

TikTok can track this activity by injecting lines of the programming language JavaScript into the websites visited within the app, creating new commands that alert TikTok to what people are doing on those websites.

TikTok strongly denied the allegations of violating the privacy of its users. However, the company did confirm that the in-app browser monitoring capabilities do exist in its source code but claimed TikTok is not utilizing them.

Krause published photos of the Javascript that was analyzed by an online tool he developed called, which examines the browser and determined whether it is injecting new code into websites, and what user activity the company might be observing.

The images show that the service detected the JavaScript injection, as well as an explanation of the illicit functions the injection creates, as well as the Java code in question.

The online tool is autonomous and user-friendly. You can send the link to anyone. Once the link is clicked, the tool produces a list of functions the app is possibly tracking, although a layperson could get a little lost in the technical terminologies.

TikTok's Maureen Shanahah stated--

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,”

Furthermore, the JavaScript code itself is part of a third-party software development kit (SDK), which introduces features the app itself doesn’t use. When confronted with these findings, TikTok did not respond regarding the SDK, nor offer information about the third party that provides it.

It is important to note, that while companies like TikTok and Facebook are implementing research into in-app browser injection, there is no indication that these companies are using injection code to collect data, redirect user data to 3rd party servers, or share it with 3rd parties.

Additionally, the research has not revealed if the code injection affects inherently a user’s identity or profile. Nevertheless, the research did produce specific examples of what other apps are able to track user activity using techniques similar to TikTok's keystroke monitoring. He mentioned that the list of abilities is inconclusive and that it is possible that the scope of the information these companies are monitoring could be more.

The revelation of TikTok’s keystroke monitoring capabilities has caused privacy experts to recoil. Jennifer King, a data policy associate at the Stanford University Institute for Human-Centered Artificial Intelligence remarked that the practice is very sneaky.

“The assumption that your data is being pre-read before you even submit it,” said King. “I think that crosses a line.”

What will you do? Keep the app or purge it? Something tells me this isn't the last we will hear about TikTok, Facebook, or the apps under the Meta umbrella. Only time will tell.

An article by

Jesse McGraw

Edited by

Anne Caminer




Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page