Software engineer and security researcher Felix Krause looked into the coding built into Tiktok, the Chinese-produced app's infrastructure, which led to this revelation. Users who click on links on Tiktok are led into a native in-app browser they produced, and not default browsers like Safari or Google Chrome.
While Tiktok does not have the feature enabled at the moment, the infrastructure is still in place. Krause explained that the problem is that the company has the infrastructure and systems in place to be able to track keystrokes.
A Tiktok spokesperson said the code is in place for "debugging, troubleshooting and performance monitoring" purposes, adding that they do not collect keystrokes or text inputs through the code, which is solely used for the above-mentioned processes. (Related: Android messages and dialer apps quietly send data to Google, report alleges.)
After looking into the coding for Instagram, Krause came to a similar conclusion, saying that the platform's infrastructure is also able to log phone taps and click on images.
When Instagram users click on links in the app, they are also brought to an in-app browser that could track sensitive and personal information. Meta operates in a similar manner in their in-app browser as well.
However, a Meta spokesperson refuted that any private information was being harvested.
"We use in-app browsers to enable safe, convenient, and reliable experiences, such as making sure auto-fill populates properly or preventing people from being redirected to malicious sites. Adding any of these kinds of features requires additional code. We have carefully designed these experiences to respect users’ privacy choices, including how data may be used for ads," the spokesperson said.
Krause, who is also the founder of Fastlane, a testing platform for Android and iOS apps acquired by Google five years ago, said he has been looking into the risks of in-app browsers for several years. However, the increased use of Big Tech companies spurred him to look at the code behind each platform.
He then released a report on his findings after creating a security tool, called the InAppBrowser.com, for anyone to see what apps can track them when using in-app browsers.
So far, it can recognize what apps like Tiktok, Instagram and Meta can track, but it is still unable to point out specific data that each app chooses to collect, transfer or use. (Related: Study: Many health apps share sensitive medical data with third parties, leaving patients at risk of potential privacy loss.)
Bruce Davie, a leading computer scientist and Systems Approach co-founder, said app behavior of this nature undermines user confidence in e-commerce.
"It's alarming to see how much information can be tracked that people aren't aware of–including potentially any user interaction with a website," he said, adding that the issue seems to be widespread, with the tracking code observed at Facebook, Instagram and Tiktok.
Krause also noted that apps in their infancy use these types of data to find errors and debug before scaling. They usually later delete the functionality, but Tiktok seems to have failed to do so.
"Those [data tracking abilities] should not end up in the final version of the app that has been used by millions of people," Krause said. "That's not something that happens by mistake, especially at a company this size."
Visit BigTech.news for more information about privacy issues on social media sites.
Watch the video below about why digital privacy is an illusion.
This video is from the What is happening channel on Brighteon.com.