With Apple urging users to download software updates immediately due to a vulnerability detected, and Neopets’ database being hacked and stolen, it’s been a rough few weeks for us tech consumers.
What do you mean you’ve never played Neopets before?
Anyway, this time, TikTok has found itself involved in a scandal involving its user behaviour tracking capabilities.
App’s Code Enables TikTok to Capture Keystrokes
According to Felix Krause, a Vienna-based researcher, TikTok has inserted a code into its app’s software that enables it to monitor activity like what users are tapping on when using the app.
What this means is that when users access websites through clicking a link in the app, as opposed to going through web browsers like Google Chrome or Safari, TikTok can technically capture what users are typing.
Ready for the kicker?
This means that if his allegations are true, TikTok can capture all kinds of our data, such as credit card information, addresses, passwords, and any other sensitive information.
In the report published by Mr Krause, who also reportedly has ties to Google, he stated that his tests were conducted only on Apple’s iOS operating system.
He also noted the keystroke tracking by TikTok, if any, would occur only when users are browsing third-party sites from within the app.
What he could not determine, however, is if the keystrokes were actively being tracked by TikTok and if the data was being used by the tech giant.
TikTok Responds
“Contrary to the report’s claims, we do not collect keystroke or text inputs through this code,” the TikTok communications team said.
They also clarified the use of the code in question, saying, “we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting and performance monitoring.”
Oh, this means the codes are indeed tracking keystrokes.
They reiterated their dispute of the claim, and wrote in an email responding to Vice, that “the researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects.”
Mr Krause had said that the development was concerning because it showed TikTok had built in functionality to be able to track online habits of users if it wanted to do so.
Furthermore, it was pointed out that collecting such information of what people are keying into their phones while on third-party sites is often a feature of hacking tool and malicious software.
While it is not out of the norm for big technology companies to use such trackers when testing new software, it is not common for them to include the feature in the release of a major commercial app whether or not it is enabled, the New York Times reported.
Ongoing Concerns over Bytedance’s Data Practices
The research comes amidst the ongoing concerns over the practices of Chinese Tech Company Bytedance, which owns TikTok, an American company.
Authoritative figures from the U.S Government have long claimed that China’s access to the data of U.S. users poses a threat to its national security. Despite repeated assurance from TikTok’s CEO Shou Zi Chew that it aims to keep data about its American users separate from ByteDance, it was revealed that the parent company actually could access the U.S. user data through a series of “protocols”.
Back in June, BuzzFeed News reviewed recordings of over a dozen separate statements from nine different TikTok employees showed that engineers in China had access to U.S. data from at least September 2021 through January 2022.
An employee from TikTok’s Trust and Safety department said, in September last year, that “everything is seen in China,” according to the media agency.
There’s allegedly even one Beijing-based engineer who “has access to everything”, who they’ve coined a “Master Admin.”
This just seems like a Netflix documentary waiting to happen.
Is In-App Tracking Common?
You’ve probably seen advertisements for items you were just looking at on a shopping site, so it probably comes as no surprise that social media sites like Facebook and Instagram can use in-app browsers to track data such as what sites a person visited, what they highlighted and which buttons they pressed on a website.
Apps sometimes also use in-app browsers to prevent people from visiting malicious sites or to make the online browsing experience smoother with the use of text auto-fill.
According to Mr Krause, though, the company had taken it one step further to track individual characters keyed in with each input attempt.
Better play safe than sorry I guess, and stick to the regular browsers.
Featured Image: XanderSt / Shutterstock.com