Did you know that some apps don’t open an external browser when you click on a link, but open the link in your own browser inside the app?
This allows these apps to control what you do. And among the most popular apps that do this, TikTok seems to be one of the worst.
Security researcher Felix Krause announced the release of InAppBrowser, a tool that lists all the JavaScript commands executed by an iOS app when your in-app browser renders a web page.
To demonstrate what the tool can do, Krause looked at some popular iOS apps that have a built-in browser, and the results are surprising.
Apps like TikTok, Instagram, Facebook Messenger s Facebook they modify the web pages that open in the application’s browser.
This includes adding tracking code (like inputs, text selections, touches, etc.), injecting external JavaScript files, and creating new HTML elements.
They also extract metadata from the site, although Krause says this is “harmless”.
When Krause delved a little deeper into what the in-app browsers of these apps actually do, he found that TikTok monitors all user input and keystrokes.
A) Yes, If you open a webpage on the TikTok app and enter your credit card information, TikTok can access all of that information. TikTok is also the only app that Krause investigated that doesn’t even offer an option to open the link in the device’s default browser, forcing you to access your own browser within the app.
In a statement to Forbesa TikTok spokesperson confirmed the practicebut says that “The Javascript code in question is only used for debugging, troubleshooting, and performance monitoring of this experiment.”
Other apps like Instagram do some monitoring as well, though none goes as far as TikTok. Snapchat behaves well as it does not modify web pages or get their metadata from the websites you open in your browsers in the app.
Krause warns that apps have a way of hiding their JavaScript activity from their InAppBrowser tool, which means they might be doing more monitoring than we’re aware of. For now, the only way to ensure they can’t be tracked is to open the websites in the device’s default browser, if the app offers that option.
