An APP That Spies On Me
Privacy is prominently at the forefront of everything we do or interact with web related. If it's not, then we have a problem. After all, the privacy debate itself has prevailed for the past twenty years, and it will certainly continue.
One need not revisit the largest penalty in history imposed against Facebook by the Federal Trade Commission (FTC) when the social media giant violated the privacy of its consumers to the tune of a $5 billion fine.
Imagine this scenario for just a moment. If I coded a completely functional app that delivers a service, and it passes the vetting process and in turn, gets featured in the user’s app store, then it is considered completely legitimate and non-malicious - until the latter is established, of course.
But can this be the perfect “trojan horse” for threat actors and competing nations? Actually, yes. It’s already a big problem, largely in the form of crypto wallet app scams, fully functional apps, disguised as trustworthy and available for download on the Google Play Store and Apple Store.
Though TikTok is not a scam, do full keystroke monitoring capabilities make the app less or more of a threat to privacy? This is a Terms of Service problem because users were not made aware of the monitoring.
Again, if I coded a legitimate app, but included a secret ability to monitor all your keystrokes… Wait a minute. I used to do that, minus the coding part! Users used to download my warez all the time over Peer-to-Peer networks.
I hosted legitimate programs, secretly injected with logging capabilities so I could capture their keystrokes, in addition to some other things, but we won’t go there. Heads would roll if I was doing this today. But that is precisely what TikTok is doing. Krause explained that the injection is deliberate and not by accident, or by a bug in the app--
“This was an active choice the company made,” he said. “This is a non-trivial engineering task. This does not happen by mistake or randomly.”
Krause is the founder of Fastlane, which was purchased by Google in 2017. The company offers a service for testing and deploying apps.
The attack begins when TikTok users navigate to a website through a link on the app. Once this condition is met, the app then inserts the illicit code, allowing TikTok to observe virtually everything the user types, interacts with, or visits within the browser, such as outside websites. This includes credentials, credit card data - everything.
This is possible since the app doesn’t open pages with traditional browsers, such as Chrome or Safari.
TikTok strongly denied the allegations of violating the privacy of its users. However, the company did confirm that the in-app browser monitoring capabilities do exist in its source code but claimed TikTok is not utilizing them.
The online tool is autonomous and user-friendly. You can send the link InAppBrowser.com to anyone. Once the link is clicked, the tool produces a list of functions the app is possibly tracking, although a layperson could get a little lost in the technical terminologies.
TikTok's Maureen Shanahah stated--
It is important to note, that while companies like TikTok and Facebook are implementing research into in-app browser injection, there is no indication that these companies are using injection code to collect data, redirect user data to 3rd party servers, or share it with 3rd parties.
Additionally, the research has not revealed if the code injection affects inherently a user’s identity or profile. Nevertheless, the research did produce specific examples of what other apps are able to track user activity using techniques similar to TikTok's keystroke monitoring. He mentioned that the list of abilities is inconclusive and that it is possible that the scope of the information these companies are monitoring could be more.
The revelation of TikTok’s keystroke monitoring capabilities has caused privacy experts to recoil. Jennifer King, a data policy associate at the Stanford University Institute for Human-Centered Artificial Intelligence remarked that the practice is very sneaky.
“The assumption that your data is being pre-read before you even submit it,” said King. “I think that crosses a line.”
What will you do? Keep the app or purge it? Something tells me this isn't the last we will hear about TikTok, Facebook, or the apps under the Meta umbrella. Only time will tell.
An article by