What to Fear from TikTok's In-app Browser
If you only read headlines you may be fearing the wrong things. But there still might be cause for concern.
A browser could sound scary if you described it this way.
"This software knows every site you visit and every character you type into every site you visit. It also knows your browsing history, your device type, operating system and pretty much every technical spec on your machine!"
But a browser needs to know those things, because, well, it wouldn't work as a browser if it didn't. Just like a navigation app needs to know your location in order to work properly. The question isn't that a browser knows those things, but what it does with the things it knows. Browsers are very closely audited by lots of people and they generally don't send your information anywhere themselves. Not only that, but browsers also give you control over your info with the ability to delete browser histories and cache info, sometimes automatically. In fact, browsers are usually viewed as on your side when talking about privacy issues.
I bring this up because it's important context in understanding what is and isn't unusual about the stories out there about TikTok's iOS in-app browser. A word about in-app browsers. On iOS, an app can send you out to an external browser, Safari, Chrome, Firefox etc., or it can render a web page inside the app. Keeping it in app is sometimes a better user experience. That in-app browser, like all browsers on iOS, must use Webkit. But it doesn't have to use all of Safari. Apps can customize on top of WebKit to roll their own javascript. Facebook and Instagram do this for tracking purposes that you agreed to let the app do. So doing it in the in-app browser is covered by that permission. And remember, an in-app browser can do all the things any browser can do, but from inside the app. An app from a company that doesn't make browsers and isn't audited as closely. The question now is, what does a company that doesn’t make browsers do with the browsing information it can access.
That brings us to the TikTok story. Developer Felix Krause found that TikTok's iOS app contains javascript that could be used to log all input - aka taps and typing. This is slightly different than what a browser normally does. As we noted, any browser has access to what you type and tap. But they don't all log it for storage. To be clear, Krause found code that could be used to log. He did not find evidence that it is used to log. There is no way to know from the outside what TikTok does with this code. It may not run the code at all. It may collect the code immediately for some purpose then discard it. It may store the code in an Oracle database waiting for Larry Ellison himself to stumble upon it in an audit. It may encrypt it and use a hidden Tor service to save it straight to President Xi's laptop. We have no way of knowing other than to ask TikTok.
So what does TikTok say weh asked?
"We do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”
OK. The devil's in the details though. TikTok says it uses the code to check page loading time and detect crashes to allow for better browser performance. That's plausible. It also repeated a previous assertion that it analyzes keystrokes to detect bot behavior and fight spam accounts. That could make sense. If keyboard presses come exactly a half second apart every time-- it's probably a bot. TikTok also said the code in question was from an SDK, so not all of it is used. It just plugged in some off the shelf code that can do a lot of things. Fine. That definitely happens sometimes. It’s not the best developer behavior but all right. TikTok also reminded us that granting code a permission, is not the same as that code being used for collection. TikTok argues that Apple's approval process would likely catch collection. Maybe. Do you believe them? That’s a personal call. You're going to have to decide what you believe and act accordingly.
In the meantime, it's good to remember that TikTok isn't the only app with an in-app browser. To that end, Krause has published a tool at InAppBrowser.com that can show you what JavaScript commands are executed by the an app as it renders the web page. If you visit InAppBrowser.com from within an app it will report as many JavaScript commands that were executed as it can detect. Keep in mind that app makers can hide JavaScript commands behind something called WKContentWorld. Which is kid of funny, since Apple introduced this in iOS 14.3 to stop websites from collecting data for the purpose of fingerprinting users. Basically a website could detect Javascript commands and use that to identify you, when other tracking behaviors are blocked.
But not all in-app browsers are untrustworthy. Krause notes that apps that use Apple's provided SFSafariViewController to display websites in app, tend to be on the safe side. That includes Gmail, WhatsApp and others. And almost all apps offer you the option to open a link in a default browser instead of the in-app browser. The only one Krause analyzed that didn't offer that option, was TikTok.