TikTok denies allegations of scraping users' personal data

• TikTok denies claims of "scraping" its users' passwords, credentials and other sensitive data. 
• A developer alleged TikTok’s iOS app contains code, letting company monitor “all keystrokes, including passwords, and all taps.”
• His findings were picked up by websites of several media outlets.

The popular short-video platform TikTok denied claims of "scraping" its users' personal data including passwords, credentials and other sensitive data through its in-app browser.

Felix Krause, who is a developer, alleged that TikTok’s iOS app contains a code that allows the company to monitor “all keystrokes, including passwords, and all taps.”

The developer who had previously worked with Twitter and Google found out about privacy and security issues in the past, Vice’s Motherboard reported. 

Taking to his Twitter and a blog post, the developer wrote that the iPhone app of TikTok opens an in-app browser when a link within the app is opened.

He wrote that the application “injects tracking code” which is capable of monitoring all text inputs, including “passwords, and all taps” due to some JavaScript code built within the app including those on third party websites in TikTok itself.

His findings were picked up by websites of several media outlets, making it an upsetting revelation. However, Krause limited his own findings by adding that it’s difficult to know what the video-making app uses the subscription for.

“This is the equivalent of installing a keylogger on third party websites,” he wrote, citing his view from a technical perspective.

During a chat online, Krause also said that his report "doesn’t say TikTok is actually recording and using this data.”

The developer said that he talked about the way TikTok inserts JavaScript using their in app browser which has code set to track text inputs on third party websites.

“I emphasised how I can’t talk about if and how the system is actually being used,” he said during the chat.

TikTok, however, has strongly denied the allegation. The video-sharing platform’s spokesperson called the report "misleading and incorrect”.

“The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects,” the application’s spokeperson wrote, adding the applications do not collect “keystroke or text inputs” via this code — contrary to the report's claims.

TikTok also wrote that the code is exclusively used for “debugging, troubleshooting, and performance monitoring”.

The app uses an in-app browser like other application and denied logging keystrokes.

Zach Edwards, an independent privacy and cybersecurity researcher, has also analysed the code utilised by the video-sharing company’s iOS app.

He warned against Krause’s findings terming it “not definitive”. He did, however, agree that the JavaScript within the application “could scrape” typed information in the app.

He said that monitoring the kind of data the application sends to its servers is the only way to confirm if an app actually scrapes forms such as password form fields.

“Felix is making TikTok look worse than they are — and that’s unfortunate because they are pretty bad,” Edwards said.

Edwards, however, deemed in-app browsers to be “wildly dangerous” because they allow app to scrape sensitive data, which is why he thinks that Google and Apple should allow users to disable the feature.