Convopage
See the entire conversation
๐ฅ New Post: Announcing InAppBrowser - see what JavaScript commands get injected through an in-app browser
๐ TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps.
krausefx.com/blog/announcin…
602 replies and sub-replies as of Aug 19 2022
InAppBrowser.com - a new tool I used to investigate the in-app browsers of apps (that use them) to look for any external JavaScript code being injected.
When opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input (which may include credit card details, passwords or other sensitive information)
TikTok also has code to observe all taps, like clicking on any buttons or links.
Continuing to analyse the Instagram iOS app, I found something new:
Besides injecting pcm.js (as covered last week), Instagram also injects JavaScript code to observe all taps happening inside their in-app browser, like clicking on buttons, links or images.
As of iOS 14.3, apps can easily hide their JavaScript activities from websites using WKContentWorld.
Hence, it becomes more important than ever to find a solution to end the use of custom in-app browsers for showing third party content.
Apps that use the recommended SFSafariViewController approach, don’t have any of those problems.
Even with the WKContentWorld system, there is no way the iOS app can inject JS code into external websites, making it the safest choice for the user.
Wow, what an honour to have my work featured on @Forbes
Including statements by TikTok confirming the code I found exists and does what I expected.
forbes.com/sites/richardn… via @richardjnieva
Seems like a good whistle to have blown. I'm surprised any alternate instance of a browser is even allowed in iOS.
#Apple is complicit in allowing these apps the level of access to the device and operating system that has given such unprecedented powers of surveillance and tracking of users.
Why would they need to know your keystrokes to find out why a page is loading slow?
They’re probably not interested in bulk tracking. This sounds to me like a capability that can be turned on for select users when the govt “asks” (you may guess which govt).
Sounds like something both China and the US would ask for. ๐ค
Haha what a blatant lie again
Anyone who is surprised that the CCP surveillance state uses all means to surveil Americans... They need to pull their heads out of the sand.
They think you are crazy at that time
“We’re not using it.”
#ReplaceThemAll we must replace the bank an hedge fund shill or deal with the laws they put on us!!!!!!!!! #ReplaceThemAll don't forget HUIZENGA is on the financial committee!!!!! 38k from hedge fund an banks no problem there
Lol look how bill huizenga voted while being on the efing financial committee of this country
Is TikTok an outlier app that does this? Curious how common this scary practice is.
And Twitter? I've always been a Hard No for letting apps use internal browsers because of crap like that, but we might as well see all the damage.
seemed like an odd omission
Apps that use the recommended SFSafariViewController approach, don’t have any of those problems.
Even with the WKContentWorld system, there is no way the iOS app can inject JS code into external websites, making it the safest choice for the user.
thanks!! missed that somehow
Super interesting and necessary info. Thank you for posting
Did you get paid?
Well deserved!
So if I open a link in TikTok but then choose to open that link in an outside browser, do those codes get injected?
Apparently TikTok lacks the option to open a link in the default browser. twitter.com/hipsterelectro…
I wonder why someone that used to work for Twitter would deliberately make one of their largest competitors look bad?
Nice work Felix!
“we have all this information but we’re not using it. (trust us.)”
Forbes is such a trash organization. They're in tight competition with Bloomberg to see who can puke out the most misinformation.
Is the code loaded from external sources or is it baked into the corresponding app. If the JS code is loaded from external sources, network-wide ad-blocker like AdGuard or PiHole could block those requests and the JS is never injected ๐ค
We introduce tracking code for ศracking.
But its not for tracking.
It's for... other things.
Like, tracking, for example.
But never for tracking.
“@tiktok_us strongly pushed back at the idea that it’s tracking users in its in-app browser.
The company confirmed those features exist in the code, but said TikTok is not using them.”
So… why is the feature in the code then?
And how do we know they won’t START using it?
"We built this turbo-charger for gathering uniquely valuable data on individual users. But we don't gather the data."
Yeah.
That makes sense. Although, if the Party was using it to spy, they'd have enabled it for Chinese users.
I mean, they just said they don't use it. That should mean we are all ok.
This is some Halloween 3 shit
Are there any precautions a person can take if they’ve already opened a link from Tik-Tok app ?
We don't use it... ๐คช
Good work man
Yeah it's a bit scary but also a failure of the JavaScript event system having no way to bind to specific keys to add hotkeys... only a global "give me the entire keyboard firehose" approach.
Sorry it's in Danish, but TikTok offers "Open in Browser" on the version I have.
Of course, always use that option :)
This advice seems over-confident. Do you really know whether these companies are stealing credit card details or passwords? What if the Chinese Communist Party asks TikTok for historic info on a political target? Just because you haven’t seen it doesn’t mean its not happening.
If Apps use one of these two interfaces is their data also removed by Settings->Safari->remove cookies and other website data?
Hmm I don't see the Google app on that list, and I'm pretty sure they don't open your default browser when you click a search result (almost typed "link", but that's not what it is, is it :))
Did you check the Google app?
SFSafariViewController has many limitations , we use it in a few places we want to display a full screen browser like for site registration, in others we use wkwebview or just inject directly into the javascript engine, bottomline most apps use multiple methods to access the web
Also its important to point out analytic collection isn't always dubious sometimes its used to determine what functions a user uses most frequently and this in turn can drive development of similar functions or maybe functions to eliminate.
also there are ways of collecting third party site analytics that this iappbrowser utility will not catch.
does a website having a Content-Security-Policy forbidding unsafe-eval stop this from working?
I’d probably be in favor of requiring a site association or a new entitlement to get eval rights in your webview. I guess there would be too much collateral damage to impose this though.
Not related, but also interesting: I found that TikTok’s API tracks everything they can (including battery percentage, number of sessions), even before you accept their privacy rules. Just to fetch some data for the user you look at.
Schon ziemlich krass, wie viele Daten #TikTok beim Aufruf der Website vom Rechner auf die eigenen Server überträgt. Und ich habe noch nicht einmal den Cookies zugestimmt ๐
And yes, they could use some of the data directly at their server, BUT not all of the data and it shows that it’s not just a theory but what they actually do.
BTW, could you find out which data they actually send back to the servers? And if they include the scripts in Europe as well?
That should get them rejected from the App Store @Apple
Self regulating markets ๐
Is this why TikTok does not have an “open in safari” option?
Software-embedded spyware runs a risk to proprietors of being uncovered and the company exposed.
Eventually, these services will switch to FramsaredAI chatbots for clandestine data collection. It is an inevitability.
are you able to confirm or disprove that these apps are able to keylog when the app is not active, for example within another app on the iOS device? You are talking about an "in-app browser." So I assume this logging is limited to that?
yeah the logging can only happen within the tiktok app. IOS apps are sandboxed and can not effect other apps. When opening a link in tiktok you are never leaving the tiktok app and although there are some technical limitations you are basically browsing the web using tiktok
that's what i thought. While the OP was very specific, I'm some misinterpretation of this thread, where naturally people assume this is getting into all the typing they do. What do you suggest we do?
actually its quite simple, don’t open links within any kind of in app browser. Copy paste the link and use your favorite browser. In app browsers are not malicious by default and can cover some app use cases, which would be difficult otherwise, but casual browsing is not a case.
I confirm the answer from @lsc_amor.
In regards to each of your points to tik tok, it is common in digital marketing to observe user behavior to view pain points and ways to improve UX on mobile/desktop. Those programs typically block payment information and passwords from being fully shown for safety purposes
There is a big difference between logging stuff on your website/app and logging stuff on any website your user opens.
As an IOS developer/reader of that thread, you should know that apps don't actually steal any credit cards, passwords, addresses, and other information
Okay. So we are basing that every app will/can do so based on an app that was removed?
I think it’s hard to make any statement about all 5M+ available apps that holds water
Yes, the CCP is concerned about our safety๐คฃ๐คก
I think most social media apps do that
Thank you for this reply. It is always about TikTok everyday
I wonder if apps like AliExpress which do a Paypal popup screen could be gathering PayPal login credentials/passwords like that?
Finally non click bait info on this. media reporting has been scant on details . Thank you
Would that effect websites having a locked-down CSP (ie: no unsafe-inline)?
(No comment)
I guess their GDPR compliance definitely doesn’t cover this
(No comment)
Is this only on ios or also android? ๐จ Because i actually used my credit card in the tiktok browser
I wonder why Apple doesn’t ban all these shady apps? Maybe because they get a cut from the profits?
Possibly that and also if you ban too many “popular” apps, then they start getting viewed as “uncool” (like blackberry was)
Well, or the popular apps get annoyed users who want them to fix their shit. I for one would like to see how it pans out. Would be a win-win for society.
As if Facebook, Twitter and Snapchat doesn't do the same?
Zetachainๆต่ฏ็ฝๆดปๅจ
NFT + ็ฉบๆไปฃๅธ
1. ๆต่ฏไบคๆขๅ่ฝ๏ผlabs.zetachain.com/leaderboard?co…
2.ๅ
ณๆณจไปฃๅธ๏ผtwitter.com/zetablockchain
3.้ขๅnft๏ผgalaxy.eco/ZetaChain/camp…
ZetaLabs
ZetaLabs is a place where the ZetaChain community can help contribute to ZetaChain development by helping test and grow the network.
labs.zetachain.com
heya @kasperskyuk does your mobile app protect against this vulnerability ta
Lol literally any “click” or “tap” or “key down”event listener does the same. Forget about the listeners, what functions are being called on click, tap or keydown?
How is this iOS compliant? @Apple
An app can observe keystrokes in another app only the keystrokes made in TikTok are relevant.
Never using the in-app browser again
This is why youtube shorts is better ;) (this is a joke for those who need this context)
Question: this is for iOS. What about Android?
I really am not interested in reading your thread. All I know is that Americans are hell bent on destroying TikTok
You guys are nothing but jealous. All Social media apps including Facebook, Instagram & Snapchat commit these petty crimes too but nobody talks about them
Facebook has been in a data leak saga for more than 5 years but nobody is badmouthing them. It's always about TikTok. Go and sleep of you have nothing doing!
"nobody talks about them"?
The CEO of Facebook litterally testified before US congress... with similar actions in other countries. The outcome of which is still unfolding.
Many, many people were talking about it. The difference is TikTok is *encouraged* by CCP to do this shit.
Are they out right owned by the CCP like TikTok? We see you. Commie propagandist ๐๐
Mira @valdes_meylin a ti que tanto te gusta, es un peligro el tiktok ese
Omg ๐ฌ๐ณ tienes razón, voy escuchar menos esa cosa
i'm shocked.............. ๐ซค
Doh! You mean social media is a great way to collect copious amounts of info on a person? Who knew? That is how they make their money, of course they do it!
(No comment)
This chart is inaccurate. For Instagram, you can’t open normal posts in browser directly. You can copy a link, but Tiktok lets you do this too. Sponsored posts allow you to open in default Browser in Instagram, but Tiktok lets you do this too. They have the same browser options.
Note the “open in safari” button in Tiktok. It behaves the exact same way as the “open in browser” button in Instagram.
it thinks twitter on android is a "third-party iOS browser" [both through the actual app, and through the site as installed via "add site to home screen"]
In the US, it’s better to use Telegram instead of these cluster trackers apps like FB messenger.
I don't know anyone who actually uses fb messenger lol, it's as dead as icq
You feel safer by using app created by people from russian intelligence?
LMAO
Tell me about WhatsApp?
This should be incredibly worrying for people who use iOS crypto wallets, since they often rely on their in-app browsers to connect the wallet to the blockchain to perform transactions.
๐ฌ
This is excellent info - Please do Twitter
This is not accurate, you are deliberately making TikTok look worse in the chart when they should have the same number of green boxes
twitter?
One more app suggestion: Klarna
I don't see Twitter and reddit apps
I'll read the article but are you seeing that they ping that info to some endpoint?
I dont think the page can see the subsequent step
Can't it see if the code references a URL?
injected JS can piggy back additional JS with those call back urls (it may not be in the visible, unobfuscated code)
the best way is to observe all the network calls to see if data is being written back to servers
Facebook messenger injects code from @iab - Interactive Advertising Bureau to all external links. ๐ต๏ธ unless Iab-pcm could be something else ?
The code pcm.js isn't minified, and contains this disclaimer; "This code is injected in in-app browsers to help aggregate conversion events from pixels setup by businesses on their website, before those events are used for targeted advertising or measurement purposes."
So this all goes away if Apple hard deprecates WKWebView ?
I doubt AAPL will do that because lots of apps depend on WKWebView for legit reasons. AAPL could require that apps list all the domains they want to connect to via WKWebView, and require an entitlement for browser-builders.
Think how many years it took to fully deprecate UIWebView
I think WKWebView still has good uses for rendering HTML views but I'd like to see apple ban in-app Browsers that aren't SafariViewController or at least tighten the restriction on what apps are doing with them.
I say they should hard deprecate all web views. Force apps to render native views and stop offering crappy web-backed experiences. ๐ฅ
I’ve cut back on Electron apps and just use their websites on Safari now. They are just web apps anyway. Why add the extra overhead?
I like having a slot in my task switcher for the specific app. If slack had PWAs like Google Meet does, I'd probably use the browser version as well.
Yes, that’s the hard part of switching an app to yet another browser tab. #Safari
How much time do you think the facebook team needs to create their own web view? Two weeks?
Yeah, don’t encourage them. They’ll probably do that anyway at some point for the sweet sweet metrics.
My point exactly - if all your business is based on harvesting human data relying on someone else's webview seems inefficient
Apple would reject it. Firefox got gecko running on iOS, and Apple rejected it.
I think if facebook puts half its staff on this for a week or two they'll have a server-side rendered web view in no time ๐ฅด or is there a rule against using a custom web view specifically?
There is a rule about using a custom web view specifically. This is why Firefox Gecko got rejected.
It seems like AAPL could limit the domains you can connect to from a WKWebView like they did for app URLs, and then require an entitlement for proper browser apps.
I doubt AAPL will do that because lots of apps depend on WKWebView for legit reasons. AAPL could require that apps list all the domains they want to connect to via WKWebView, and require an entitlement for browser-builders.
Anti-anti-competitive folks will loose their shit thought ๐ฃ
But that will also deprecate other browsers?
I doubt AAPL will do that because lots of apps depend on WKWebView for legit reasons. AAPL could require that apps list all the domains they want to connect to via WKWebView, and require an entitlement for browser-builders.
Why would you ever want that, this can also be used to build useful wonderful apps. People should just stop using apps that harm them.
How would non-tech people know if the app harm them? How many of us knew that before reading this thread? I never thrusted in app browsers, but most people don’t even understand how this work.
I truly believe that OS vendors should close anything that can be used as a back door.
By talking about it and showing what they are doing. By closing anything that can be used to do nasty things we are also killing a lot of amazing things that could be. We are narrowing the possible, this is how we kill exploration and innovation.
That isn’t a solution. Most people do not understand the gravity of having these things available. The door just needs to be shut.
It is not surprising that they don't understand the risks of it, while most don't even know these kinds of things are possible.
As long as what these apps are doing is not illegal, there is absolutely zero reason to shut them down. People can’t have it both ways, either you agree to use privacy invasive apps or you don’t.
Is registering users' keystrokes on 3rd party websites legal?
We can't trust the companies to be ethical, they won't do that if not forced to.
You can't just have something that can be used as a backdoor without any sort of control over it.
You are expecting companies that are in the business of selling your personal information to not sell your personal information? Good luck with that.
No, I'm not. But there's a huge difference between data collected on the company's app and potentially sensitive data collected on 3rd party websites.
Did you disagree when Apple introduced the tracking transparency feature?
The tracking transparency feature does not actually prevent apps from tacking its users, otherwise we wouldn't be having this discussion. The real question is: do you trust Facebook, TikTok etc… to do right by you?
Apps Continuing to Track Users Despite Apple's Privacy Prompt
Apple is facing increasing pressure to tighten its App Tracking Transparency rules after it was found that third parties are using workarounds to...
macrumors.com
I was talking about Apple’s interference. And no, I don’t trust any of these companies, but letting the back door unrestrictedly open for them to abuse is a mistake.
For sure users should be educated.
But you are responsible for the exploitable software you deliver to them.
I don’t think Apple should interfere if nothing illegal is happening. Injecting javascript into a page is *not* a security issue. The app is working exactly as it was designed. I’m not sure what Apple can do in this case. We’ll see.
Injecting JavaScript is 100% a security issue even if it was designed that way.
And apple takes steps constantly to prevent malice even if it is legal.
That’s a good thing. Be better than shitty, outdated American laws.
Injecting javascript can be used for many things (e.g. filing your passwords automatically from the keychain). It’s definitely not a security issue in-and-of itself. Here it’s used for shitty purposes yes but the solution is not to nuke the technology.
It is a security issue when Facebook/Instagram are allowed to inject JS code into a 3rd party website without any kind of consent. How can it not be a security issue if someone's Amazon credentials leak due to an injected JS that registered the keystrokes from within a web view?
It’s very likely that Facebook/Instagram’s privacy policy covers this and consent has been granted. If someone’s credentials leak because of this then it would be very bad indeed and they would be to blame for leaking the credentials.
For any purposes, it was a leak on Amazon, or any other website, not a Facebook leak.
If I share a link to your website on TikTok, the user can to to your website and fill in some sensitive info that now TikTok might have access to. If that’s not a security issue I don’t know how to call it.
If they were to do that then TikTok would be to blame. TikTok would be the security issue, not javascript injection. That’s all I’m saying.
TikTok IS to blame. But once Apple sees that someone is being nefarious, I believe they have a responsibility to take actions to mitigate or eliminate that.
TikTok will probably remove all their injections, it's not worth the bad press. That would be the best outcome I think.
Ha! I highly doubt that.
They already claimed they only do this for debugging and not to collect anything. If it's true then it doesn't seem like it's worth the trouble. But we'll see.
You have so much trust in TikTok and I don’t get it.
I have zero trust in TikTok but they have the spotlight on them and it's only a matter before researchers find exactly what they are doing and they know that.
*only a matter of time
Don’t get me wrong, I understand the valid uses for JS injection. The app I’m currently working on uses web views pretty heavily and we manipulate the one by injecting JS.
I didn’t say shut down the app. I said Apple should shut the door to that web view type. Deprecate it hard.
Legality is not a good argument for morality. Just because it’s legal, doesn’t mean it should be acceptable.
You certainly do not have to accept it: don’t use the app. It’s not for Apple to decide to kill app functionality that are not illegal. If you agree to the privacy policy and use the app, then you agree to be tracked.
You can't assume the average user has the same privacy awareness that tech people have.
I know. I’m saying let’s continue to educate people. I’ve talked to non-tech people who continue to use Facebook, in fact they know all about their nasty business and to my dismay they still don’t want to stop using it. They accept to be tracked in exchange of the service.
I get your point. But how many people did you talk about it? How many people don’t know shit about their nasty business?
In my experience, people know that Facebook does stuff with their data. But in general, people have no clue what that really means. So sure, they “choose” to give up their data. But it isn’t informed consent. People should know what is happening with their information.
I agree 100% about that, the more people know about what’s happening with their data, the better.
We've been talking about strong and unique passwords for a long time, did it work?
If something can be used as a backdoor, it must be closed. Do we need to deprecate it? No, we need to patch it. OS vendors could drop support for injecting JS into web views.
I think it makes sense for web view content, like when you need to access your own website from a web view within the app. And limiting the list of websites that the app can inject JS into would be really nice.
Time to get rid of the operating systems themselves then
They should just ban its use for in app browsers and force SFSafariViewController
Nothing to see here.
should we trust TikTok to NOT harvest passwords of millions of American's, kids, etc.?
@deepsee_io @GretchenSPeters @jason_kint @dsearls @johnnyryan @CastiglioneJohn @johnwilander @PrivacyMatters @hessiejones @AlaricAloor @kfranasz
Why should we
I don't trust Tiktok but FB and IG do essentially the same code injection ๐๐พ
twitter.com/alaricaloor/st…
Since it's in the news that FB and IG apps use the in-app browser and inject their own JS into the web pages users visit after clicking an ad link within FB or IG, here is an excellent breakdown of what's happening ๐๐พ
krausefx.com/blog/ios-priva…
so, does the meta injection log keystrokes as well? big difference between seeing the sites i go to and the passwords i put in.
We’re following this story, curious to see where it nets out
Scoop: Oracle begins auditing TikTok's algorithms
The plan is part of Chinese-owned TikTok's larger effort to show U.S. authorities it's not a security threat.
axios.com
you might find this interesting and of course you won't be surprised that apps are injecting code into sites you visit...
๐ฅ New Post: Announcing InAppBrowser - see what JavaScript commands get injected through an in-app browser
๐ TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps.
krausefx.com/blog/announcin…
Github link at the end doesn't seem to be working?
I knew I’d forget something! Here we go, it’s public now:
GitHub - KrauseFx/InAppBrowser.com: Showcasing what the Instagram in-app browser does under the hood
Showcasing what the Instagram in-app browser does under the hood - GitHub - KrauseFx/InAppBrowser.com: Showcasing what the Instagram in-app browser does under the hood
github.com
thank you!
Insightful work, Felix. I’m happy to use SFSafariViewController in my app that’ll be released her shortly, though I do wish they would give developers more flexibility with it as doing so could seriously improve the efficacy of my app.
Good job Felix. I wonder since years why there is no allow-list required for web views in apps plist files.
And just out of curiosity, what about Pinterest? I would expect that’s part of their daily living income.
Can we kill Pinterest? It is a cancer on the Internet and they've gamed Google search result, to the point that search is useless. WHY GOOGLE ALLOWS DARK PATTERN COMPANIES TO EXIST?
Feels like Google has some economic interest in keeping Pinterest alive?
I wonder who the coders are ... who said yes to implementing this feature ... instead of just walking out, knowing that programming is in high demand.
Let me introduce you to the beautiful US visa system, where an employee is bound to a specific employer, and the engineer quitting means having to leave the country ๐
Rough.
Americans know Chinese too.
I don't know, why?
Also, just, immoral people exist. And people who think "oh, it's not bad if we do it." Multiple issues here.
(I don't mean to downplay the visa hold. So much coercive power there.)
Funny that's a problem all over the place
It’s like this a bit everywhere in the world. It was the same for me in a large Asian nation.
I wish UK-based trade and immigration experts could take a look at this thread. And figure out what the future might hold for the UK post-Brexit re security and innovation. @StevePeers
It’s not just the US unfortunately.
I have been there ๐. It can get very stressful.
And this is not unique to the US by any means. Indeed, I can find no country which issues “work visas” offering perceptual residency. Might you proffer one example?
Not only US but, for example, Poland and dozens other counties. This situation creates a way to exploit immigrants. Companies can push them harder when they know immigrants will not quit because they will need to leave the country. I hate that.
Hence, big firms LOVE immigration. Sometimes small ones, too.
I know an Austrian startup that internally brags about preferring immigrants without family or any roots in the country.
Requiring visas for employment is anti-immigration. Just letting people in with no strings attached solves this problem.
You are really cruel when you lock your door and not let in strangers
And they can also advertise a low enough pay that no one will apply which they can then use as proof that they need to hire immigrants to fill the positions.
(Source: None, but do you believe they wouldn't?)
This is a piece of cake compared to what they do in Chinese apps LMAO, some apps literally pull your photos/files etc. and upload them to their servers without your knowledge
I wouldn’t think you could do that in China (which is where TikTok is from). Government be like “You unhappy with your job? Here, take this -42069 social credits and good luck finding a new one”
You've just made that up in your head
Yeah ... there’s just โจno reasonโจ a Chinese-made app with huge uptake in the US/West might do this.
I bet this is unrelated: cisa.gov/uscert/china
If morals - not opportunity - was the main driving factor in development, we wouldn’t have any ‘web3’ developers either.
SGTM
just different ideas about what's okay. i wrote taking pixels back in the day. abused etags and super cookies with the best of them. was fun. just seemed fine to me at the time.
I know them. They are these "monitoring experts" checking everything to have a beautiful dashboard.
They are Chinese state actors I don’t think they care lol
Does this replicate in Microsoft WebView2 ?
Amazing work Felix!!!
An it doesn’t allow you to go to a browser or copy the link
Nice find and great thread ๐๐ค๐ผ
This is absolutely why I avoid TikTok, it’s dodgy as hell.
if you avoid tiktok because of monitoring, boy are you in for a shock when you find about Microsoft, Amazon, Meta, Google and Apple.
InAppBrowser.com - a new tool I used to investigate the in-app browsers of apps (that use them) to look for any external JavaScript code being injected.
Tik tok is Chinese. Google, meta, etc is American. I think that’s enough for Americans to not want to use it.
In what possible scenario is American companies spying on people any less scary than Chinese companies spying on people? They are both equally terrible in every way.
Did you entirely miss the story from two weeks ago about Facebook selling out a teenager seeking abortion medicine without even a warrant? You CANNOT trust ANY of these companies.
This specific case has a warrant involved but there's established reporting about how this sort of thing is done without one.
Google, like Amazon, may let police see your video without a warrant
But there’s a reason someone asked.
theverge.com
And to get particular to the kinds of things people suspect/accuse the Chinese government of doing:
Five Eyes - Wikipedia
(no description)
en.wikipedia.org
There was a warrant, and the investigation was because they induced an abortion past the point it could survive being born, then burned and buried the body in their back yard. Not even the vast majority of European countries would allow that.
was tempted to retort but I'm just gonna block you for focusing on meaningless bullshit like the "survival" of a child's unwanted pregnancy.
Don't use Google
Main gripe with tik tok is that it's Chinese owned right? Hence why Trump attempted to get it taken down..however the others are US so it really depends on who you prefer to hold your data
(I could be entirely wrong though, mainly just assumptions) ^
And you trust US Tech companies becuase they are patriotic? There are no data privacy rules for this in the USA. Just because NSA and Trump says "Chineaaaa" doesn't make it any better for US companies. US needs GDPR laws like Europe, fine US tech companies for non-compliance
Like I said..it depends on who you prefer. Either way it's pretty shitty.
It's not just TikTok.
As you type this on twitter ๐
Wechat?
One more reason I don’t use TikTok…
This is part of a long list of suspicious activity by Tiktok from spying on users to inappropriately collecting children's data.
twitter.com/i/events/13103…
The way people demonise TikTok as if literally every single American company isn’t doing EXACTLY the same thing is kinda hilarious
China is the boogie-man to distract public from the real enemy. Big Tech needs regulation to protect customer privacy like in EU and Korea (GDPR, ISMS)
Ad business is billion dollars profit for Google, Facebook, Microsoft, Tiktok. Big Tech is not patriotic, they are the enemy ๐บ๐ธ
Yes but is the American company controlled by Xi?
it is controlled by zucky which is worse.
Does zucky have an army of million army ready for war?
If you don't like Facebook and TikTok then you can try $vorz
Cyber wars
According to the post they were replying to, TikTok was the only app that forces the tracking on you. It doesn't allow you to open links in a separate browser.
classic stupid tankie
This honestly doesn't surprise me at all. TikTok are the worst for this. I'm glad I don't use it.
You’re in @MacRumors.
TikTok’s In-App Browser Reportedly Capable of Monitoring Anything You Type macrumors.com/2022/08/18/fel… by @rsgnl
I deleted this app along time ago, for many reasons including This, but mainly it almost Completely Ruined My Life. I’m Glad I Deleted IT. FUCK!!! TIK TOK.
Muhammad Qasim has seen dreams many dreams about how Islam and Muslim ummah will rise again. How will this happen, and what needs to be done to get there? Many people claim he is the Imam Al-Mahdi. Learn more at DivineDreams.co
That's what I call meaningful hacking! Good work with relevant results. Kudos!
Great work!
By the way, Instagram doesn't provide a way to disable it's in app browser on iOS. It just gives you the option of opening your browser after you open a site in its in app browser.
Yes, thank you, I believe that’s what the blog post says, but let me know if I got it wrong
Sorry I was unclear. There's no way to "disable" the app browser on either IG or TT. IG just allows you to open your browser from the app browser.
I find it ghastly that there's no user choice for these apps, and I think it's up to Apple to enforce using SFSafariViewController
(No comment)
amazing
I'll just leave this here
Seems like a very big deal!!!!
Yikes tiktok's is especially bad because they make it almost impossible to open a link in an external browser ๐ฌ
Yes! This is so freaking annoying. Only app know of that does that.
It's news to me that there are links.
Of course, Tiktok has a pwa, so perhaps use that...not sure that helps though. Does it?
Not sure. Afaik the only links you can even click are ads and links in a bio
Can websites protect against this through the use of CSP?
Can prevent script execution if nonce is missing. Can restrict domain name for scripts. Can add SRI (Subresource Integrity check).
*log in
Wouldn't it open the PayPal app for any purchase activity? If it's in the in-app browser, they should be able to access every character typed.
Well, @PayPal?
Yes, it would. It'll snoop on users and allow username and password collection. Especially since PayPal doesn't use 3rd party logins with Google, MS, Apple etc. This is a loophole that needs to be closed by Apple and Google to stop keyboard event collection on 3rd party websites
Yes they can for sure
I've noticed that social media apps open all sites in their own browers even if you have the app installed, it has happened to me with reddit, paypal, social media apps that aren't from the same company (a link to facebook in twitter), and many more.
what I was walking about today
I feel like this can’t be allowed within the @Apple AppStore T&C?
On IOS if there is no option to escape the in-app browser (first screenshot), you can Long-press any link on the first page you do get, and use "Open Link".
It probably just always says that (static text, not detected), since it was developed with the concept of looking into iOS.
Ruh roh, Raggy!
The fact that I just read that post in a Twitter web view seems relevant.
This is hard to me to get but this mean andriod are safe or not?
It is always worse on Android due to its security model.
Interesting project!
I want to ask an end-user question. I hate it when Gmail opens an in app browser (it’s annoying) so if I click a link I hold it down and choose Safari. Does this prevent the issue?
I always figured TikTok was bad news.
Would love to know how this slipped through the cracks at Apple. Been wary of in-app browsing on Android.
No doubt there'll be "we didn't do anything, we won't do it anymore" plastering over the cracks crisis management PR—but fuck that.
Wow— this is why I’m not on TikTok tbh, though I couldn’t have spelled out what they’re up to
It explicitly says they can't know what tiktok uses the information for. You know "what they're up to"?
If you don't know, then you don't know. Best not to make shit up, I'd suggest.
Don’t you see how not knowing, or not knowing it’s even happening, is in in itself the issue?
That's not what I'm on about. He said "I couldn't have spelled out what they're up to"...and neither did the article he was referencing. They said exactly that they also couldn't...but it seems like he assumed it was known what they did with it.
Where did Borsephine “assume” it was known?
Regardless, there is a very obvious issue here whether or not we know what they do with it…
You're right. I'm wrong. I added 'imagined' emphasis on the 'I' in:
"I couldn't have spelled out what they're up to"
which I took to mean that he thought they could.
I don't want any company logging my keystrokes on a site they don't own. That's not information they need to know. I don't care what they're using the data for, they shouldn't have it in the first place.
I don't think it matters what they do with it. The fact that it is collected means it could be hacked, at least.
Frankly, if I were American, I'd be less concerned about Tiktok than any of the others...though I guess they're all equally as likely to give it to the CIA/etc.
Yea, I agree with that… the problem is the fact that it’s collected/recorded (whatever you want to call it) at all
If tik tok can get it they can be forced by the CCP to turn all information into the government for any reason or have corporate leaders sent to prison. A communist government having all of their hackers working is alot worse than the cia. CIA leaks like a sive can't keep secrets
TikTok says “yeah our app can raid your private data but we don’t use it for anything bad”. So I guess nuthin to see here. ๐
IOS only folks. Toss your Steve Jobs China Spyware where the sun don't shine.
What law has been broken?
Why are the major app stores still allowing this app? Shut it down.
๐คI tried this on my Android 12 phone, and regardless of Twitter, Instagram, and FB Messenger, it says:
โ
It looks like you're opening this page on a third party iOS browser.
What does it use to do this check? Wouldn't the browser user agent show what OS it's running on?
I realise reading your blog post that this is targeted at iOS users, but is there any reason it can't support Android as well?
Android has both WebView and Chrome Custom Tabs, the former does support code injection but the latter does not.
Yep, it does. I think it's a loophole that Google and Aplle should close. Google doesn't block this feature, because it allows them to track user activity on 3rd party sites, which improves their advertising metrics about users. Do you trust Google to not abuse password snooping?
If we're putting the tin foil hat on, Google wouldn't need to allow app developers to inject JS into pages to facilitate their own tracking.
As Chrome is the default browser, and also default WebView (much harder to change) on Android, they already have the ability to do this.
Chrome team is different division to other teams. Chrome is mostly open-source, so Google won't add dirty logic, so developers can see it on Github
Not tinfoil hat, just knowing the dirty side of Web tracker business. There is an ecosystem of companies selling user profile info
Only reason is that I don’t have enough knowledge & experience in the Android world to talk about it.
InAppBrowsers should be disallowed
(No comment)
What and you think Twitter isn’t tracking you?
Where does this look like a keylogger at all? The onclick and onkeydown events are innocuous. I’d like to look at the code plus check what’s actually being sent online with wireshark
Haha, oh
People will always find an alternative even they banned tiktok soon $vorz
Exhibit A on why I always open stuff in safari as soon as possible
As a 1Password user: can they also see pasted passwords?
(No comment)
Any plans for android version?
(No comment)
he wants apple and playstore to ban it fast, that's the solutions
very interesting read. i have always hated in-app browsers, now i hate them even more.
(No comment)
"Can in-app browsers read everything I do online? No! They are only able to read and watch your online activities when you open a link or ad from within their apps." - I suggest this point gets rewritten: "Yes, if you are browsing through the in-app browser they technically can."
I suggest this because the FAQ is specifically mentioned to be for non-techies, and the context of the question reads (to me) as they are asking about in-app browsers specifically.. and in that context, the answer is more a "yes" than a "no". It definitely isn't a "No!" :)
mira esto...
(No comment)
Mind giving more details on the event listener callbacks? Are they sending logs somewhere?
Better to find an alternative if you don't trust those apps anymore. Lots of them out there anyway $vorz
Great work Felix ๐๐
The details of this are beyond me, but it does sound concerning. Thought you should see it.
A lot of alternatives to choose from if you don't like your identity and infos stolen. $vorz
(No comment)
Great work . I had always suspected this and normally copy the URL and go to another browser , but I suspect I might have missed it once or twice . I guess it’s ‘change your password’ time ….
abi Bi bak
(No comment)
Hi, Your thread is ready to read. ๐ฅ New Post: Announcing InAppBrowser - see what JavaScript commands get injected through an in-app br rattibha.com/thread/1560370…
Have a good day!
Did you find anything alerting for Twitter?
Is this supposed to work on Android in-App browsers too?
Not entirely sure, but my guess is that this applies to Android as well, yes. Lots of apps are Good Citizens and use Chrome Custom Tabs (CCT), which actually uses the default browser engine of your choice to render a site.
...
The "Chrome" in CCT is badly named btw... It wil use FF if that's your default.
No injected scripts and other shenanigans, and it comes with all cookies, user sessions, settings, extensions, etc, as you have them config'ed in the standalone browser.
(No comment)
In-app yowza
InApp browsing is profitable for USA Big Tech and helps NSA. Big Tech will always find new loophole, no point making tech recommends. USA needs is stricter customer protection legislation, like GDPR or ISMS. Why trust US Tech more than China Tech? Big Tech is not patriotic ๐บ๐ฒ๐ดโ ๏ธ
1) Chine tech is ownes by Communist Party, 2) In China, you d “dissappear” if you revealed such feature
3) Totalitarian regimes are at cold war againts democracies
From what I can see with those event listeners, their code block is already run through an obsfuscator, so this feels kind of gimmicky like, an antivirus telling you all they did to protect you when there isn't a way of knowing. Am I wrong?
Ah bah ça aussi du coup ^^' @Foxmonsieur
Do CSP headers prevent this behaviour? We spotted Facebook js in CSP logs a few weeks ago - is that enough to prevent this?
It's probably wise to see if your page can detect an in app launch by sweeping for injected functions and refusing to work if launched in app.
I would also argue CSP will not work as the launching app probably uses WebView and has you by the short and curlys
We do see FB JS in CSP report logs, so at least some is blocked.
I think it should actually work
wow this is game changer
The code exist is tracking you but they "don't use it" how the f*ck is this? They have your data but not use for the moment?
Do they actually *transmit* these taps and keystrokes to TikTok's servers (which would be very bad), or are they handling them locally for user interaction purposes (which would be normal and quite probably harmless)?
What do you think? Seriously. Where morally neutral tech can be used for harm, just look at Xinjiang Province. Face tracking, gait tracking, enforced state malware on phones, drone surveillance, censorship firewalls…
all of this exists in the US too…
Even if they were doing the latter, I’d want that shit to be off by default.
What are they doing with the collected data?
Sending it to their servers?
Thank you for this work. While most would say they have imagined this would happen, seeing how this actually happened is what people needed for raising the awareness.
Hi, do you plan to analyse in the same way javascripts that are injected to pages in actual browsers like Chrome, Firefox, Opera, Vivaldi, Safari, etc.?
When is TikTok finally going to be banned as an illegal foreign power mass surveillance tool?
this feels like a major story to me.
Tiktok malvado, pero cuando lees haste el final resulta que instagram, Facebook, WhatsApp, Twitter, Slack y todas las demás hacen lo mismo...
in-app-browser === man-in-the-middle
the confirmation at the end tho
Doesn't Facebook basically do the same thing to sell your data?
Felix, thanks for adding to my paranoia!
Worrying.
A little worrying.... @karaswisher @profgalloway
If an app called native browser instead of in app browser is it safe or need to be checked too ?
Brilliant idea
Is this IOS related only or Android also?
isso é mesmo verdade?
parece que sim, saiu até na forbes
Danou-se, Madalena!
Severe violations of privacy
(No comment)
Hi, Your thread is ready to read. ๐ฅ New Post: Announcing InAppBrowser - see what JavaScript commands get injected through an in-app br rattibha.com/thread/1560370…
Have a good day!
Big techs can get away from infringing a person’s data privacy rights and exposing us to risks. Everyone needs to be mindful and learn more about how to protect their data. Read more on our blog and know exactly what these companies do to your data.
Why Companies Invade Your Privacy | Internxt Blog
Is online privacy dead? Why companies infringe on your privacy, what kind of information Big Tech collects, and what they do with all that data.
blog.internxt.com
This thread is saved to your Notion database.
Tags: [Inappbrowser]
Apps that open links in anything other than the system's default browser are an instant red flag, especially if they want you to log in to anything.
How can this even be tolerated? Thanks for sheding light on this, this must hit the broadest audience possible
WKWebView should be restricted to a set of domains like make your own HTML look native only. It also breaks Apple Pay and app deeplinking which makes Safari VC the friendlier choice.
Possibly a good reason to use password managers that auto-fill fields as it's a verification tap instead of tapping out login info on the keyboard.
How much of this is valid for Android and why everything? \s
Wait, I thought Apple didn’t allow engines other than WebKit for “security reasons” ๐ซ ๐ซ ๐ซ
it would seem apps can inject code into pages despite that
So much for the App Store app review process
The AppStore and app review *is* good for you in nearly all cases, no matter what DHH or other self serving millionaire/billionaire whiners say.
But don’t worry, EU will force Apple to allow fully native third party web engines soon.
Then no amount of app review will help.
Good piece of kit. Thanks.
bien tiktok du fbi chinoix !
The government, and a lot of criminals, can probably do the same. You can't hide anything. TikTok is awesome, at least you'll get somethin, the gov won't give you anything.
Do you know anything about the in-built browsers that appear on Android on apps lime Reddit, Facebook, Instagram?
Stealing users privacy ๐คข nothing is safe no more
(No comment)
woah menon u have given gold
A detailed look at how Facebook and Instagram opening links in a custom in-app browser on iOS lets Meta track every interaction, including entering passwords (@KrauseFx)
krausefx.com/blog/ios-priva…
A detailed look at how Facebook and Instagram for iOS open links with a custom in-app browser, letting Meta track every interaction including entering passwords
Felix Krause: A detailed look at how Facebook and Instagram for iOS open links with a custom in-app browser, letting Meta track every interaction including entering passwords
techmeme.com
do you have a link to a profile with a clickable link to inappbrowser.com? I don’t use TikTok very much, but it seems that their WebView is only activated in the profile page, but my profile doesn’t let me add a link do bio (even after setting it as business profile)
I don't actually. The way I was able to open inappbrowser.com in TikTok is to open random bio links, look for a Facebook icon or link, login on Facebook, and have the URL posted on there, to click on
Why didn't you mentionne Twitter and Google in you list of apps while by default their apps also open links with InAppBrowser?
Wait ...
Oh I see. By a coincidence your are an old Twitter and Google worker.
๐
Credibility = 0
Yeah fuck tiktok, I deleted that app as soon I actually read the terms and conditions. Too much info given to China, no thanks.
Don’t need to inject anything when using iOS I think. WKNavigationDelegate gives me every website someone taps upon. Not sure if you can get every keystroke.
hackingwithswift.com/example-code/w…
Is this why so many apps these days try to act as a browser rather than transferring you over to your standard phone browser when you click on a link?
Now do Arrivecan app!
Damn boy
Is there a difference between this functionality and what is necessary for collecting analytic data for UX research purposes?
(No comment)
No wonder india banned it
๐ Absolutely horrifying!
(No comment)
Dude just scanned his hole phone? :D
We need comprehensive information on how to block these apps entire from networks! I already started adding some IPs to my lists, but that doesn't seem enough.
Just do what @NipseyHussle saw ๐๐ฅ
๐ฅณNew platform to make money without investing!pay €5 on registration and you can withdraw, note the €5 bonus is only given once. Minimum withdrawal is €10
go.fiverr.com/visit/bta=4767…
Great post Felix ๐๐๐
Any chance you can add a column grading the quality of the privacy policy with a link (or GDPR compliance)?
My guess is all would fail horribly but that feels like the right way to be sure of the privacy of the data (and maybe a good number of complaints to the EDPS are needed).
Those JS API's look like what I'd have to listen to to implement any of:
- Autofill
- Protect against phishing of account credentials
- Measuring engagement for ranking of shared content
- (and lots of nefarious uses)
Given GDPR covers all use cases of user's data, including apps, should users be notified when launching the app an be able to opt-out of anything that isn't on-device (and have granular detail of what is done)?
The privacy policies should also call out explicit uses of data rather than the generic "data will be used to improve the user experience across our suite of apps" that lawyers and product people like to use to cover anything they might accidentally be doing with it.
Gosh, good thing there are such stringent app reviews by Apple.
Lies the Chinese never spies!
(No comment)
(No comment)
Gracias!
It’s all in the article
worth a read cause I know you and ole boy use TikTok
I know it's a social media link but this has research and documented evidence in the chain.
This is a great article. Thank you sir.
This thread is saved to your Notion database.
Tags: [App, Security]
For fuck's sake, stop downloading apps.
Twitter's website is perfectly fine on mobile, as are most web forums, HomeDepot, Walmart, etc.
Yes webpages have all sorts of tracking shit on them, but much less so than an app that may be using your location or mic in unexpected ways.
Like I'm just so so so so shocked. Who'd have thought free apps might invade your privacy and do things like record keystrokes and things you click on, through interfaces you've granted them full permission to control!
DAMNNN
I'm amazed and very surprized Apple allows this. Seems like a security nightmare. Android, I'm not that shocked. What's the 'legitimate' use case for this?
looks like they're still up to their old bullshit from back in the day when I was looking into this to try to convince my kids to leave this shit alone.
GAaahhhhhhhhh. Thanks for the tag. I try to avoid using the tiktok browser and looks like I was correct to not trust it lol ๐
Is this happening in Android too?? Super neat analysis you did here!!
Can apple do anything about this? Surprised this made it through their QC team. I thought they did vigorous checks of app code submitted to the app store
Thanks for the share ๐ Great info
Yo @OracleCloud - get the team that’s auditing TikTok’s security to fix this ridiculous behavior.
Hmm, those "conspiracies" seem to have been right again...
(No comment)
(No comment)
Not surprised,when something is free you are the product.
I maintain the mindset that anything I do with technology is being scraped for data.
I appreciate the insight towards what apps are not fulfilling their full evil potential. It's hard to know what's safe to use. This kind of info is vital to enable consumer choices.
Thanks!
We need noscript for webkit
You sir are doing God’s work.
My team ran into this last month when our app stopped working in the TikTok IAB. I cracked open their IPA to get a look at what they were running and was shocked. Glad to see attention being brought to this. TikTok calls it "Slardar" internally
tiktok payload
tiktok payload. GitHub Gist: instantly share code, notes, and snippets.
gist.github.com
considering tiktok used to copy all contents of the clipboard, this does not surprise me at all.
every day, I am happy I have never used tiktok
The aggressive fingerprinting techniques that you talked about 1+ years ago @andyyang
TikTok has always been key-logging any way they can, not only when hosting a web browser in their own app but trapping keystrokes in all other apps through clipboard!
TikTok keylogging iOS’s Clipboard
Thanks to iOS 14's new Privacy features, Apple possibly shows that TikTok is grabbing iOS's clipboard unnecessarily.UPDATE: As of version 17.3.0 (1730120) Ti...
youtube.com
hard to believe what our generation is willing to accept - one day we will look back and scratch our heads and ask ourselves how come.... #privacymatters
Everyday another troubling discovery abt TT. So glad I do not use that data harvesting app.
Zuckerberg truly ruined society.
thanks chinese government
In cyberspace assume you're already hacked!
And you will be okay!!
๐ช๐บ๐ฎ๐ธ๐ฒ ๐๐ถ๐บ๐ฒ๐ ๐ฝ๐ฟ๐ฒ๐ฐ๐ฒ๐ฑ๐ฒ๐ป๐๐ฒ๐ฑ๐ชจ@that_one_Him
It never felt right when an app, that was obviously not a browser, started handling links that I expected my browser to
(No comment)
If the app is deleted does it still track and spy?
For all the people saying US companies do the exact same, the difference is that people have actually monitored the data output rate for all of them, and Tik Tok actually shows signs of using these abilities for full key logging, at one point even outside the app, unlike here.
Also, warrants have exposed what they've taken and know, but TikTok data ends up on CCP servers which answer to no other government, and actively disappear student protestors. (We know this because of the "lovely" people at Vice who fail to protect the data of their interviewees)
In that case it was due to the phones themselves being compromised, making peer-to-peer like Signal not secure, but is an example of what they do with people's info when they get it. Multiple times, *poof* right after talking to Vice.
Check out @OrdinaryGamers on YouTube, he does a good dive into Tik Tok (cybersecurity channel, not gaming).Also, Naomi Wu from YouTube discussed the Vice here, on Twitter, for what happened to students and her own experience.
I can't link to her because of a block, lol (She's very liberal with them, admittedly out of excess caution, though I earned mine over a difference of moral opinions regarding guilt by association and separation of personal and work conflicts).
Trump was right
Doesn't matter for me, I won't trust the app especially like TikTok. I never used it before, no plan for use it either.
Lol tiktok is the new Facebook but it’ll only take some time before you guys start hating it too
(No comment)
Do they send these anywhere?
(No comment)
Your site displays event listeners being used, but can you show what the event listeners are actually doing with the events?
Would love to see a similar analysis of WeChat....
I have deleted my account already :)
Glad never use my private credentials in their apps
the TikTok theory by Jason keeps going๐
Amazing work Felix! ๐๐ป
๐๐ซ
Sometimes I wish I was wrong about these things...
twitter.com/wallet_guard/s…
โ ๏ธIS TIKTOK SPYWARE? โ ๏ธ
- Short Answer: Yes.
Discussion Points:
๐ฒ Applicable to both Web2 & Web3.
โ๏ธ War on Privacy.
๐ Get your Tin Foil hats ready as we dive in.
Not surprising. The CCP wants everything they can get.
A read fa sho
iPhone tip. Because TikTok browser doesn’t let you eject to full safari I’ve screenshot links and uses iPhones text detection on photos to go to links via safari.
Amazing thread/post! Thanks for the deep dive and sharing this super important insight. Hopefully folks will start to become more skeptical of a massive social network not properly governed by a body that cares at all about privacy and security. Blows my mind people use TikTok.
This is in all tracking apps
This is insane. Serious crazy. @POTUS should #bantiktok right away.
Would this extend to catching keystrokes in a password manager like Keypass/LastPass/etc used to login to a page inside an in-app browser?
iOS is pretty secure since each app runs on sandbox, it’s only when you do your activity within TikTok. Anyway I don’t see that it’s a big concern of security, listening to events doesn’t mean you can capture the values.
Uninstaller TikTok people!!!!! JFC!!!!
Mr @KrauseFx can you please see if discord is like tiktok or no , for me its SUS ๐ง๐ค
Injecting JavaScript into the in-app browser is not necessarily problematic. Has anyone actually tried inspecting the network traffic so see if it’s malicious, or are we just going to continue the “TikTok is CCP spyware” narrative without evidence?