TikTok’s in-app browser injects JavaScript that functions like a keylogger, but says not to worry.
We wrote last week about research showing that Meta takes advantage of the in-app browser feature on mobile devices to inject JavaScript into web pages viewed in the Facebook, Instagram, and Messenger mobile apps. Now that same researcher has found that the TikTok in-app browser injects JavaScript which functions similar to a keylogger to record all keyboard inputs and taps on page elements.Many mobile apps let users click on links and visit the linked webpages within the app, rather than opening the device’s default browser app. Apple offers a restricted Safari viewport that developers can include in their iOS apps for this purpose. However, developers can also create their own in-app browsers, and it turns out that some developers build their own in-app browsers to inject JavaScript into webpages.Felix Krause first discovered this behavior in Meta mobile apps, but he didn’t stop his searching there. After developing a rudimentary tool to detect JavaScript injection for his research on Meta apps, the researcher decided to develop this tool into one that can be used by the public.
