Felix Krause, the founder of Fastlane and a software researcher, recently made reports about the popular social app TikTok.
According to Krause, JavaScript code embedded in the in-app browser is currently being used to track keystrokes, screen taps, copied text, and so on.
Krause considers this a major security risk. TikTok claims that this code is only used for debugging and is never used to track or log a user’s information while they use the app.
TikTok is widely regarded as one of today’s most popular mobile apps, particularly among the young.
That statement certainly holds weight, with 2.6 billion downloads since its launch in 2016, and TikTok’s claims of up to one billion active global users.
TikTok has been the subject of numerous security concerns in the past, with even FCC Commissioner “Brendan Carr” urging Apple and Google to remove it from their respective app stores.
These concerns were recently heightened by the publication of a report by Felix Krause, a well-known software researcher and the founder of Fastlane.
According to Krause, TikTok has JavaScript code embedded in its in-app browser, which is used when users tap on links while scrolling through the app.
He points out that the code embedded in the browser is unimportant because nearly all apps with integrated browsers, including Facebook, Instagram, and Snapchat, use this type of code. The issue is what the JavaScript code intends to do while the user interacts with the browser.
Krause explains that the code tracks the location of screen taps as well as what text a user copies while in the browser. Most importantly, the code records every single keystroke a user makes while inside the browser.
Krause observes that the first two points are not as concerning. Screen taps and copied text are also tracked by several apps. During his testing, TikTok was the only app that logged keystrokes in any way. Krause insists that this is a major security concern for users.
TikTok was quick to refute Krause’s claim, claiming that the JavaScript code containing keylogging, screen tap data, and logging copied links from users is only used for debugging.
The company also states that the code was included in a “third-party software development kit,” also known as an SDK, and that the security concerns contained within the code are not being used or monitored by TikTok.
However, when asked about it, TikTok refused to answer questions about the SDK or who created it. The rise of TikTok has sparked massive debate. Since its inception, there have been concerns about TikTok’s parent company’s ties to the Chinese government.
To read our blog on “Videos of child sexual abuse were shown to TikTok moderators as part of their training,” click here
