In-app browsers are a huge mess and security/privacy nightmare. Browsers implement a security sandbox. In-app browsers break and circumvent this threat model in nasty ways. I hope this gets the same attention as cross-site scripting (XSS) attacks and browser engines implement strict countermeasures by default locking WebViews to the equivalent of an Incognito/InPrivate tab.
Yeah - I never want an in-app browser. I wish it could be broadly disabled at least as an option, though I'd be fine with apple just removing the capability entirely.
It's particularly annoying with account cookies and such when I'm already authenticated in the normal browser.
Unfortunately I think they’re very popular with unsophisticated users. I’ve heard stories about companies getting a ton of support emails because someone clicked on an article link shown in $someApp, the user was booted to Safari, and didn’t know how to get back to where they were before.
I’ve heard of developers adding the in-app thing despite hating it personally just to reduce the support burden.
I’m more of GP’s mindset, but I’ve often wondered how many people would become lost the way you describe if my preference was the default. I have the benefit of knowing distinctly when I’m navigating from app to web, but I can relate to being disoriented navigating between different types of views within a given app.
There’s the tiny “back button” in iOS that takes you back to an app which triggered an app context switch, but it’s barely noticeable and barely reachable on most current iPhones. I swipe between apps even when I do notice that. But I’m not sure how widely it’s even known you can swipe between apps.
(For anyone reading who doesn’t know, if you have an iPhone without a home button, you can swipe left/right on the space right at the bottom of your screen, where you normally would swipe up, and it’s like the cmd/alt+tab default. You can also do this on the URL bar in Safari to switch tabs, if you stick with the default bottom URL bar.)
The solution here is for the company to make a proper help page explaining that, then respond to all the support emails with a link to the help page.
No need to poison the well for everybody else due to wanting to avoid a "support burden."
My own product/company has a few common issues like this, and the help page strategy works fine. Answering emails for these types of things is not a big deal as long as you have stock answers/pages prepared.
If you navigate out of an app iOS adds a ‘back’ link on the top left of the screen automatically. This is not going to cause ‘a ton of support emails’; your stories probably are from versions of iOS when they didn’t do that, which is so long ago I couldn’t even find how long.
iOS makes this very easy where every app launching another provides a link in the top left. I find it hard to believe users of tiktok and snapchat with their weird hidden/discoverable functionality of swiping from different places would have issue with the button that says "< snapchat" at the top.
But ok, let's say I am giving too much credit to people. Just put a setting in to use the default browser for those of us that want it?
What really annoys me is that Facebook messenger used to offer an option for how to handle external links, but removed it in favor of one of these in-app browsers.
It’s quite clearly a user hostile decision, but they presumably did it for all that activity tracking they can do.
It seems like there should be a setting to make this the default. Sometimes I'll navigate a bit within the in-app browser after clicking on a link from like Twitter or something, and I'd much rather it pop open Firefox or something that I can actually trust. Now it sounds like Apple and Google should start putting warnings on these things by default, yeesh.
I'd like to add that I haven't been able to find a way to escape the TikTok in-app browser on Android. There are no buttons, not even a URL bar to copy from.
They're going to heavily lockdown WKWebView after the Instagram and Tiktok revelations, probably in iOS16.1. They may even remove it entirely and force people to use SFSafariViewController (heavily locked down web browser, opaque to developers other than URL). Best of luck to anyone that was using javascript injection for legitimate purposes, others have ruined it for everyone by abusing user trust.
I highly doubt this will happen. There are a ton of apps that use things like Cordova or Capacitor (usually for cross-platform purposes).
What I could see them doing is making apps declare URLs that they need access to. Basically, you get full functionality on declared URLs, but if you are just using WebView for a "generic" in-app browser you lose the ability to inspect random pages.
> What I could see them doing is making apps declare URLs that they need access to. Basically, you get full functionality on declared URLs, but if you are just using WebView for a "generic" in-app browser you lose the ability to inspect random pages.
This is exactly what I'm expecting, because that's how they've handled other similar restrictions. Becoming a full on web browser with the iOS 14 web browser entitlement will probably be the only way to not be bound to a list of URLs, and they don't hand that entitlement out willy nilly.
Wouldn't a simple solution be to require apps that aren't browser to list a limited set of domains they're allowed to access? Then you could use the WkWebKit view for your app but you couldn't use it to allow the user to browse the web.
Browsers would get a pass where Apple would come up with some rule but clearly the Instagram app, the Facebook app, the TikTok app, the Gmail app, the Google app, are not browser where as Firefox, Chrome, Brave are.
iOS already has a method to associate websites with apps but I see some problems with this approach.
1) If you go with the "associated domains only" approach that requires proof of domain ownership(usually through adding TXT into the ZONE files), you lose the category of apps that function by transferring a session of a website into the app to function. This is a popular approach for reader apps that don't have an official official affiliation with the website they interact with or the website doesn't have an API to do direct app connection.
2) If you go with the route of pre-defined domains that might not be associated officially, you fix the problem in the first point but you also create a vector of attack to scoop data from targeted websites. For example you can collect data from reddit, facebook and instagram. 3 websites only but more than enough to cause headaches.
IMHO the proper action would be to put the script injection and data access capability behind a user consent prompt.
"TIKTOK WOULD LIKE TO READ THE AND MODIFY THE CONTENTS OF THIS WEBSITE - ACCEPT/DENY"
For legitimate reasons, the app can inform the user about why they need to do this and the user can accept that and even better, they can implement legitimate APIs.
While SFSafari is a much better choice for what the apps are doing here, WKWeb has legitimate uses.
I suppose Apple could lock it behind an entitlement, but that would take a while as WKWeb is already very prevalent and people won’t replace it on short notice like a point release. Even iOS 17 seems fast.
Plus there is the general power issue. Apple could have done many things over the years to FB (and IG) but they’ve been treating them with kid gloves because those apps are so important. You can definitely add TikTok to that list.
In an app I'm using postMessage and JS injection to communicate between our in-house HTML/CSS content (due to what we're building, we had and still have many legitimate reasons to code that way) to seamlessly integrate the native side and the dynamic HTML views.
Any change would be a huge nightmare for apps like ours, potentially impacting many other apps as well.
Apple started moving in this direction in 2020 with the introduction of App-Bound Domains[0]. These are currently opt in but I have always expected that, just like with the HTTPs adoption, they'll start enforcing this more strictly. With App Bound domains an app specifies ahead of time which domains are app bound and should allow injecting Javascript etc.
I expect app-bound domains to become required for all apps in iOS 16 or possibly iOS 17. There will probably a be a limit and some review on which domains an app specify as app-bound. Web browser that use WKWebView already have a special entitlement that excludes them from this.
Locking down in-app browsers seems like a reasonable trade-off. Kind of surprised it wasn't the case before, since browser extensions have had site permissions for ages now.
One could just follow what browsers do for extensions: have the developer specify a list of all the hostnames that they want to enable script injection on in a manifest, and ask for permissions at the start. Anything not on the list must be loaded via a sandboxed browser.
Keeps legitimate uses functional while preventing broad script injection.
+1 thanks for the info - it makes sense that Apple would try to mitigate this on their platform.
I use Apple’s new Lockdown Mode on the beta iOS 16 and iPadOS 16. I generally like it. It largely disables arbitrary JavaScript, as far as I know. A few times a week, I will turn off Lockdown temporarily for a few minutes for a web site if there are any problems. This is usually Amazon.com’s Kindle preview feature.
I hope they leave means of communication available. Something like window.postMessage. Like how Chrome extensions can expose a limited part of the Chrome API to webpages so they can post messages to certain extensions, without needing to inject anything into those webpages.
I hope it gets locked down further just like how Apple introduced App Tracking Transparency, to further reduce and make it harder for data collection like this so that it is not open to abuse, not just this but in all of iOS in general.
Whether if it is collecting biometric data, voice prints, reading the clipboard, collecting information around local network devices and now abusing the in-app browser to further collect user data, the same social networks will try anything to abuse the iOS system to collect as much data as they can.
Given that Facebook did the exact same invasive actions and was fined in the billions, there is enough evidence of these invasive data collection practices that TikTok has done over the years to be worthy of a multi-billion dollar fine.
There is no exceptions, excuses or any room for double standards.
I can’t quite figure this out: it sounds like if you click a link in someone’s TikTok content, the in app browser can read any text entered on that site using the in app browser. Does just not entering any keyboard input in the in app browser mitigate this?
Does Apple Lockdown help in this situation? I thought that typical TikTok use just involved scrolling and watching video content. Are users who only view content subject to this security flaw?
Thanks in advance for any clarification.
Also, off topic but doesn’t YouTube’s “Shorts” take the place of TikTok? I have my Google privacy settings set so YouTube can store my viewing history for one month so I get reasonable recommendations. Does TikTok have similar settings?
If I build an analytics company and build a product that my customers can use to "analyze" their users activity it'd almost be a total neglect on my end not to include common tracking mechanisms that are well documented like simple event hooks in js. I really don't get the rage against tiktok.
What they do that is publicly known is not bad. Maybe there is something bad they're doing but these random HN top stories are not it. If NSA/US govt really wants us to avoid tiktok it needs better convincing than "omg they're stealing the x,y of your finger when you tap on an image."
Apple exposes two ways to use an in app browser. One is a legacy method that gives you full control, the other gives the user a sandboxed browser with no interference from the app.
TikTok isn't the only app abusing this. Instagram and Facebook will both do sneaky things like respond to the content of the page you're browsing (asking to save passwords in their own private keychain, showing context specific information, etc.)
-
You're not exposed to any of these if you don't open a link inside the in-app browser.
The most common reason to click a link in their in-app browser is an ad... so obviously TikTok, Instagram and Facebook are using the in-app browser to track your interactions after the ad click and sell the data
Apple needs to give us power-users the option to decide whether to load such web contents (in apps) in either SFSafariViewController (sandboxed) or WKWebView (fully exposed). This is especially critical when, for example, payment processors load your net banking portal inside apps (a common mode of online payment in India) - unless it is sandboxed, the app and / or payment processor has complete access to your netbanking credentials.
To play devil's advocate... the most common way to end up in the in-app browser is to click an ad.
Non-technical people don't have a concept of "in app browser sandboxing". In their minds they clicked on an ad, they're still inside TikTok, TikTok's UI is showing, TikTok will show prompts based on the content shown... they probably assume TikTok has access to that page?
Honestly I'm more annoyed that Apple allows big apps to use the loophole that is the legacy webview than I am that TikTok uses that webview to do the exact single thing it's good for... having full control over the web content you're showing in app.
The shitty code injected generates a ton of errors. After initially being super annoyed about the noise in our exception reporting, a bright spark observed that it may also be used for detection and user protection, albeit only for our own users.
It might make it much harder to inject stuff, but since the apps control all aspects of the embedded browser and CSPs are enforced by the browser, they could feasibly just disable CSP enforcement and have the embedded browser ignore the CSP.
I don’t think Apple gives access to the CSP or a choice in obeying it. I’ve been working with WKWebView recently and don’t remember running across it.
Now you could go really far to get around it. Request resources yourself and hand them to WKWebView directly so no CSP is served but that’s not going to be easy. You’d have to scan for any other resources that might get loaded, pull those, inject them correctly, etc.
Not at the moment. This article from last week when the issue got exposed is arguing for adding it https://news.ycombinator.com/item?id=32418679 * Let websites framebust out of native apps *
CSP protects against an XSS threat model, but once the attacker has control of the browser itself, defeating CSP is trivial since you can just decorate scripts with the nonce string (or equivalent).
On iOS you still don’t control the browser in an app, Apple limits what you’re allowed to do. I’m not sure you can disable CSP. See my reply to your sibling comment.
I'm just curious, there are plenty of 3rd party full-featured browsers based on WKWebView that are injecting tons of JavaScript into all pages and basically doing the same as in-app browsers. So what's the difference?
> [...] they use JavaScript to offer some of their functionality, like a password manager.
Basically a 3rd-party browser needs to use JS to offer any features or real benefit over simply using Safari. But as a TikTok user you have no benefit when all links open inside the app with tons of custom JS injected that seems to be mainly for tracking you.
Apple and Google have guidelines about what apps are/aren't allowed to if they want to be on their app store.
"Protecting the user" is supposed to be one reasons they take a 30% cut of all in app purchases. Apple even uses this as an excuse to not allow side loading apps.
Ads and tracking aren’t inherently linked, it is possible to have one without the other. That’s allegedly what Apple is doing, so it doesn’t clash with the privacy commitment.
Even so, I disapprove of Apple’s forays into ads and wish them swift and hard failures in the area.
Google isn't blocking this because it would be a silver bullet to FTC for aiding Youtube. Apple isn't blocking this because they are beholden to China.
Is there anything website owners can do about this? I've been many web games, including my own, embedded and surrounded by adverts (see dordle,io, wordle-unlimited,io). Simple permissions like x-frame-options won't work since they're proxying everything onto the same origin. I've thought about checking after a few minutes if the user is on an embeded DOM then asking them to head over to the real site.
No, the browser is the "user agent" and decides what to do. The problem is that in this case TikTok is the browser and does what they want, not what is good for the user.
It is actually quite a hard problem. The App Store does ban third-party browser engines so maybe they can add a restriction that apps can only inject code into verified domains. Surely a few legitimate use cases would be lost (IDK apps that let you annotate websites or something) but it may largely mitigate this issue. Maybe there can be a permission or a review entitlement that allows this for valid use cases (as decided by Apple of course).
I feel like there is a litany of the internet: "that which can be collected will be." That's been true since the beginning. What continues to surprise me is that people think only "bad guys" do it.
This is why we continue to lock down browsers and provide ever narrower permission classes.
I think madrox is referring to 'good guys' as in Western countries vs China etc, not literal good guys and bad guys. That's a fairly common view, regardless of all the actual bad Western country leaderships' conduct.
Since "the web" has become about 7-10 walled gardens for 90% of the public, whether Apple "sabotages" "the web" in allowing these "garden" apps to use their own browsers is hardly any more broken than anything else.
"TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click."
How does Apple even remotely allow this?
They ban apps for the most arbitrary of reasons, I know small devs that get bumped for tiny things.
This is beyond ridiculous.
A company that has ~100M american users, and CCP on the board with a CEO/Board completely and publicly compliant with the 'wishes of the CCP' including reporting any and all sorts of things, is literally able to collect any data including passwords.
WTF.
How is this not a giant story?
How does the US Government not issue an immediate statement/warning to the general public and talk to Apple/Google about this issue?
I think the big question is, what are the event handlers doing exactly? I'm definitely not defending any of these companies but it just seems fundamentally unclear what gets done with the data. The presumption is that the event data is passed to some private storage against users' consent. But for all we know it's also possible there are automated filters in place to detect sensitive information and drop/obfuscate it. Still, I wouldn't count on that.
I will say that it doesn't look great to have a `keypress` listener on the window/document...certainly that's not used for anything good.
For some reason, the phrase "JavaScript commands" stood out to me as being rather awkward. I'd just say "injects JavaScript code" or "injects JS".
We can’t know what TikTok uses the subscription for
According to the code on that page, the function named 'i' needs to be investigated further. It appears to return another function which is then called to process the keypress event.
Off topic, apologies: I read that TikTok contracted with Oracle Cloud to handle computation and data inside the US and do some privacy related data flow checks (not back to China). I wonder how big of a business this is, revenue wise, for Oracle Cloud? I also wonder if anti-TikTok public opinion will rub off on Oracle Cloud?
My question is just, “why do we let everyone ale do this? Why do we only react when it’s a Chinese company doing it?”
There is a call for comment by the fcc right now about how people feel about data collection and surveillance. Please go and send in a comment to regulate these behaviours
When I used TikTok on Android, it was the most infuriating in-app browser experience because it had no way to open the URL in your real browser. Not even a way to copy the URL to your clipboard. I guess now I understand why
It’s on the browser to enforce CSP headers. In this case the browser itself is doing the malicious script injection. Think of it as a browser extension, just running without your consent. It’s up to the browser - not the website - to reject it.
TikTok should be banned. India has the right idea. We should align more with them.
Banning it isn't for geopolitical reasons although I think those are valid given the CCP's publicly stated agenda (Global communist revolution essentially. Millions of lives sacrificed for Marx). It's just that one less mind hacking app for children is a good thing. What about FB, Insta who are just as bad etc? Simply doesn't matter. If people left FB for TikTok, and TikTok disappears, some significant % won't come back and that's a win.
Marx wouldn’t approve of some sort of great leap 2.0. CCP sucks, but since World Wars, have you seen the list of countries the US alone has invaded or led coups in? Add in the rest of the west.
It doesn’t matter much what some state’s publicly stated stuff is. There’s no reason to believe any country blindly. Their actions speak louder.
No not all of them do this. Yes, Instagram does, as per the chart in the article. The difference is Tiktok forces you to use their in app web view, and does not allow you to use your default browser, where they would not be able to inject their own JS code. Even worse, Tiktok monitors every single key stroke, a key logger in effect, where Instagram does not (according to the authors research).
People are going to reply to you with the usual "we are better than them", "we are a democracy" etc., but reciprocity clauses are very common in areas like international trade, travel, disarmament treaties, emissions control and lots more. In fact China would never have been allowed into the WTO (which happened in 2001) had they not made sweeping changes to their economy and assured the world that they would compete on a fair playing field, rules that they still (mostly) have to follow today. Requiring that American software companies have the same opportunities in China as Chinese ones enjoy in the USA is a perfectly sane position to take. In fact it is the fair and democratic one.
Of course politicians don't really understand tech enough to realize how quickly (and how unfairly) China is growing to dominate the space.
> Same with housing, why can Chinese nationals buy housing here, while I can't do so there?
Housing is a completely different conversation, and the answer there is that existing homeowners would never allow the influx of foreign cash into their local markets to stop, and they are the ones with all the influence in this country, not the renters or aspiring buyers.
"had they not made sweeping changes to their economy and assured the world that they would compete on a fair playing field, rules that they still (mostly) have to follow today. "
This is really quite false.
Rules are broken all the time, they are difficult to arbitrate, and often they are not.
The CCP requires foreign entities to surrender critical IP, then hand it off to a state-backed competitors, they don't allow full ownership of local companies, there's direct political interference including the requirement for all companies to directly hire CCP members as oversight, and if it's important enough, to have the CCP right on the board.
All of this in addition to the death by a thousand cuts the system can make for foreign competitors via local bureaucratic requirements at every level.
This applies not only to commerce but critical institutions such as WHO which are directly compromised by China (i.e. not allowing any material investigation into 'lab leak origins' etc. etc..)
The OP presented the situation very clearly: there is no way in any scenario that China would allow an American company to have a TikTok like app used by large swaths of the Chinese population, controlled by the US.
Neither would Russia.
On some level, that kind of thing is a bit understandable, I don't quite mind if China would not allow 'Facebook' to be the #1 communications tool in China, that said, it should be reciprocal.
And for other things, like high-speed rail etc. China has been grabbing IP using leverage that never should have been allowed.
Look, I'm no fan of the Chinese social construct, but in terms of investment and development in an area I've tried to work in for the past 20 years, namely high-tech renewable energy development, the USA has dropped the ball while China has run with it. The US response has been tariffs on Chinese monocrystalline silicon PV panels, in a rather pathetic attempt to prevent them from gaining market share, while promoting nonsense like CdTe panels and so on. GW Bush and Barak Obama blocked DOE money going to renewable R&D just like Reagan, Bush and Clinton did, because the USA is mostly a petro-state economy (just look at CVX and XOM profits recently FFS)..
So China ran away with renewable tech developement because greedy Wall Street executives didn't want competition to their lucrative fossil fuel investments. Fucking retards.
This is why we have fallen a decade behind on semiconductor dominance. the next wars will be won not by who owns the oil, but who owns the semis to drive the robots..
> reciprocity clauses are very common in areas like [...]
Distributing software for you to run on your own hardware is speech, though, and it's protected by the first amendment. You can license the distribution of your own software if you want, but you can't tell me I can't give you software if you want it.
Basically: how do you think this would work, in a way that wouldn't also make Linux or gcc or whatever available only at the whim of the government?
Honestly, this type of discussion is seriously irritating, because it implies that TikTok is doing something unique that other apps aren't doing. Just as the article demonstrates, many western countries do the exact same thing that TikTok does, except TikTok seemingly takes it one step further (probably because of shoddy programming). Applying geographic-based arguments to technology is just a bandaid. The problem needs to be solved in all situations, not just in situations where people aren't politically happy.
Any company injecting keyloggers or monitoring systems into web content should be subject to the same equally damning judgement. Just because it's China doesn't make keylogging bad. Keylogging is bad because keylogging is bad. Companies like Fullstory [0] and Hotjar [1] are used all over the western internet and effectively act as full session recorders. Sure, used well they can be used for analytics, but you could just as easily inject Fullstory or Hotjar into an in-app browser and suddenly record all data a user does. Should this be possible? No. Does it help to just ban China? I mean sure, but why should you be okay with a western company doing it?
TikTok is a short video app used mostly by younger generations. It produces highly accurate recommendations for videos to watch. We're not talking about something like a banking app, a healthcare app, or even a messaging app. It's a video-based social network. There are bigger fish to fry than TikTok in almost every single possible category of app. Yet, TikTok is always brought up because it's from China.
TikTok is brought up because it has an insane amount of influence on the culture and identity of a huge swath of people. Do you seriously believe that China, or any country, would not want to leverage such influence to persuade or alter the culture or a potential advisory?
We all shit our pants because Russia used Meta, and American company, to influence the 2020 election. Imagine the same amount of data, a more accurate algorithm, and entirely within the control of foreign actors.
It doesn't matter if it is China or Colombia or Japan, a foreign company have that much influence over the opinions citizens of a country is dangerous.
> TikTok is a short video app used mostly by younger generations. It produces highly accurate recommendations for videos to watch. We're not talking about something like a banking app, a healthcare app, or even a messaging app. It's a video-based social network. There are bigger fish to fry than TikTok in almost every single possible category of app. Yet, TikTok is always brought up because it's from China.
If the leaders in the West weren't concerned about the "average Joe" and their (mis)understandings of politics and situations with complex nuances, then the West would likely be a true Democracy (like ancient Athens, where the People vote on issues such as War and Taxes) instead of a Republic or Democratic Republic (where the People elect a small group to vote on their behalf).
Regardless, I think our Western leaders SHOULD be concerned with the "average Joe" mentality. That includes, by a wide margin, propaganda efforts by other nations.
There are _far less_ antisocial practices featured on Chinese TikTok than on Western (specifically American) TikTok. However, the comparison to Instagram and Facebook doesn't differ all that much, so maybe they're simply giving us the content we want.
And I don't just mean the politicians. I mean downright to the pension funds, hedge funds, and retail investor.
They are all long China and especially Chinese tech. If you start declaring war on Chinese tech you are going to obliterate a huge amount of money all to protect the privacy that US voters don't care about privacy in the least. So why would they do such a silly thing?
National security? Please, the son of a sitting President is a crack user with huge ties to China. Nothing some Tiktor user could divulge through the in app browser could ever compare.
If you want to protect the privacy of users then protect the privacy of users. Protecting the privacy only when China is the one invading privacy is not protecting the privacy of users.
So, I see this bandied about a lot, but I don't see the big deal in being spied on by a government that has 0 say in my entire hemisphere? Like, I have much bigger concerns about spying done on behalf of the five eyes alliance than China (obviously this would be the opposite if I was living in China). What are they going to do with my silly viewing habits, sell my data to advertisers? Well, same deal with youtube, google, fb, insta, whatsapp, etc. I'm not saying you are coming at this from a nationalistic point of view but I get that vibe from the ease of which tiktok is disdained on HN.
And on the merits, it is unhealthy like all social media, but it still feels so much more fun and worthwhile than facebook or insta where everything feels like a competition to have the best life. So much of Tiktok still feels like vine 2.0
All china has to do to have a serious negative impact on our society is give a slight boost to moronic, antisocial content (tide pod challenge or mass robbery anyone?), and a slight penalty to constructive, educational content. It would be basically impossible to detect this.
Remember that this is a country that regularly threatens a war that would likely involve the US.
Besides what's been said already, did you consider that "the west" is a collection of countries from at least 3 continents, wgile China is a single country?
Also the fact that the entire world relies on China is a pretty good place to start.
So, what would be the difference between us and them? There is a reason why our governance is better than them.
Also, if you don't know facebook, instagram also have same issue as tiktok. Maybe government should enforce privacy requirement for all apps including facebook and instagram instead of blanket banning Chinese apps.
Because China is ruled by technocrats who are probably book-smarter than Western politicians.
In the west you typically have to be rich to be a politician, in China you have to be smart, then you get rich(and ban the NYT when your corruption is uncovered).
For example, when the media in The West "front pages" the smog in Beijing keep in mind The West owns a good part of that. It's not like what's manufactured in China stays in China. I would presume their water ways are nasty as well.
Just one example mind you. The point is, there are other imbalances. That's not to say TikTok should get a free pass, only that it's complicated than an app for app comparison.
Amusingly, TikTok isn't available in China - only DouYin, which is similar but separate.
I'm not 100% sure on this at this point, but I think if Facebook/Google/etc were willing to do the same they would be allowed in China too, but as it stands they can't/won't comply with Chinese law (I may be mistaken on this, haven't read up on the topic in quite some time)
Yeah, and both TikTok and DouYin are owned by ByteDance. In fact didn't Google on occasion create a crippled/censored version of its search for some time in mainland China or Hong Kong or something?
Sounds like the opposite of housing from a national security POV. If a Chinese national buys a house in the US, then the US has 'control' over their property. The US would want Chinese nationals to buy houses in the US.
In some countries housing supply is limited and the housing market can be messed with by influx of foreign ownership. Possibly less of an issue with US due to size of the country. Still, I think if someone can buy land here, we should be able to buy land there (within reason)?
There is an interesting meta discussion here but the parent is over-simplifying things.
> How we can allow a Chinese social media app in the west, while any non-Chinese social media apps aren't allowed there?
Easy. The laws are different.
"Non-Chinese social media app"s are not banned in China, just that if you run one it need to be licensed (https://beian.miit.gov.cn/) first before you can start servicing. Licensing is difficult since there's requirements about keeping data domestic, having physical presence should legal enforcement be necessary (i.e. there are people to arrest if something goes wrong), and complying with takedown requests (both copyright and political). Western big tech companies (rightfully) do not want to comply, so they do not get licenses, and thus have no presence. Attempting to "just provide service" without a license will result in blacklisting via the GFW as enforcement.
"Allow a Chinese social media app in the west" -- this is also more complex. If TikTok or friends violate laws in the west they are also liable for any punishment. For example, TikTok and WeChat comply with the GDPR in Europe and keep EU data local to the EU. If they didn't they'd be looking at a potentially huge fine and possibly getting banned. Similarly they also comply with copyright stuff like DMCAs. If they didn't, the FBI can seize their domain and compel ISPs to not resolve it just like the GFW (this has precedent and has been done before).
So the meta question becomes: Are the current protections in the west sufficient? To which the answer is probably no.
But in any case, in the free world, whether a Chinese social media app's presence is allowed to be maintained should not be dictated by ideology, but rather through real demonstrated evidence of misbehavior and/or harm (which is why research like this is important).
I appreciate your thoughtful response. I think that Chinese apps should at least be held to the same standards, as they are there, and I think it's reasonable to assume that they currently aren't.
The thing is, and I don't believe this to be controversial, that China has built a digital database of all (or most) of its citizens based on the data they collected. Now the question is, do they stop there, or do they have a file on all of us? The technology is cheap, and I think based on video data etc that they collect through apps like this, they might well build a social graph of the rest of the world (i.e. who does exist, what are their interests/beliefs/political affiliations, and what are the relations between those entities.)
The repercussions of using such apps might be, that they have info on citizens in the rest of the world, which might allow them to nudge people into giving into their political goals (this has already been happening after people posted stuff critical of China on sites like Twitter) - and I think that we have to ask ourselves how that could threaten our democracy.
What I don't understand is why Google has let YouTube become one big advertisement for TikTok. Every video I watch on YouTube is preceded by a TikTok ad.
No, it isn't about people being more prone to buy property in one place, rather than another. Let x be a any number in [0, infty), I literally can not buy property in China for any x.
Because of unfortunate politics - young people are thriving on TikTok so all discussions on limiting the platform under Trump were reasonably responded to with outcries about censorship. I think it's possible some change could happen under the current administration's watch (since it wouldn't be viewed as a free-speech crackdown) but there doesn't seem to be much interest now that it's just about security and not also about punishing your political opponents.
Because west operate under different systems.
West has for while being about free trade free market global capitalism. Where as China is using much more controlled approach.
Fundamentally west can't get too faraway from these ideals or it will end up destroying its hegemony. Huawei has already been banned, but what comes after social media? And if some action is taken, will other countries start banning western imports specially cultural and services?
If non-Chinese companies are willing to abide by Chinese laws (including those about censorship, etc.), they'll be able to operate in China. Chinese social media apps abide by US regulations around social media and private surveillance, which are almost nonexistent, so they can operate in the US.
The only way to prevent this is to create laws specifically targeting the Chinese for being Chinese, because 1) the chance for domestic regulation on social media and surveillance is very low, and 2) any regulation we're likely to pass would be about "spreading misinformation" and "foreign interference," so would probably end up closely resembling Chinese regulations.
Well, it's gonna cost me many downvotes, but this needs to be said. CCP has a tight grip on many US officials. The two publicly known cases are Pelosi's son and Biden's son, who are prominent investors, board members even, in chinese companies. That's public knowledge, but I bet it's the tip of the iceberg.
Trump tried to ban TikTok (and quite a lot more), but he’s orange and bad, so Biden repealed it. And tariffs are racist, so there’s that. America is not functioning well at this point and nothing indicates it will improve.
So uh - how is that Great Firewall thing in China legal then?
Trade limitations have always and will always exist. Heck there are hundreds of limitations in trade between the US and Canada - including the complete illegality of Kinder Eggs in the US, which I still find hilarious.
If I click a link inside the Instagram app, that for whatever reason takes me to gmail or microsoft or wherever that requires authentication, and I decide to login on that page so I can view the link in question, Meta and TikTok are able to capture my credentials and ingest the data back in to their metrics and analytics pipelines?
Everything is legal until it is explicitly made illegal. And I can assure you no US politician can understand more than 3 words in that paragraph you wrote, let alone make laws to regulate it.
For what it's worth, Google doesn't allow you to log into your Google Account in a in-app browser for this exact reason... unless you enable some "Insecure App" settings in Google Admin settings.
I’ve always wondered how Google enforces this as a technical level. Wouldn’t it be easy to spin up an in-app browser that looks and feels just like a regular browser? How does one detect via JS (or other means) if it’s an in-app browser?
If you use the platform, you've expressly agreed to this behavior. You can't create an account without affirming that you read and agreed to their policies and terms of use.
>We call all of the things you can do on our Products "activity." We collect your activity across our Products and information you provide, such as: [...] Apps and features you use, and what actions you take in them.
>We collect information when you create an account or use the Platform. We also collect information you share with us from third-party social network providers, and technical and behavioral information about your use of the Platform. [...]
>We may collect information about you from third-party services, such as advertising partners, data providers, and analytics providers.
I mean, this is literally XSS. And it's not just Facebook and Tiktok, unless this is a private API scummy apps can and are (I guarantee) doing this to steal user passwords and bank credentials. Your average person already needs to know that they can't type in their credentials unless the URL says facebook.com, now they also need to check the app is Safari. And you may not even need to enter credentials, a malicious app could just load my-bank.com and extract the cookies or local storage or send API requests.
If true...wow. That's a massive security oversight. But it seems to massive I'm not 100% convinced. Especially because websites are tightly sandboxed from other websites and apps are tightly sandboxed from other apps. Yeah you could in theory re-implement your own web browser in your app which looks and acts like Safari, but in practice Apple technically forbids other web-views, and it's really hard to fully implement a web browser and not make it immediately apparent anyways.
Why on earth is this even allowed in IOS in the first place ?
Why do apps have the ability to control and change the browser? Instead of using the default one? Like android.
These same tools are what allow you to build and ship fully JS based apps on iOS instead of having to use Swift or Objective-C or anything like that. Arbitrary web views can be an entire app. Or they can reinvent the wheel and become in-app browsers. A lot of apps are fully or partially web based. Even Apple’s own apps use web views in crazy ways. For example, the entire Mac App Store used to be a web view. Parts of macOS system preferences are web views. It’s just that because they’re web views, if you slap browser-like chrome on them and send them to the internet, they also work as web browsers.
All of that is totally fine and not what people are upset about. If your entire app is just a web browser that renders your website, that should be fine too.
The problem is when they render external websites and unsuspecting users think they are using the phone's web browser. That is something Apple/Google can have rules about without banning/restricting web views.
It's the in-app browser. The one that opens within the app, so that people don't need to switch to another app, and usually used for short-lived sessions. It doesn't modify or spy on the actual separate browser (Safari etc), just on whatever happens inside the app (as you would expect, app knows what's going on within itself), and it just so happens that sometimes in the app there is a browser page being displayed, which then goes to reason can also be spied on.
Android has these in-app browsers too, they may or may not be subject to this.
I assure you Android is capable of the exact same thing.
A lot of apps use webviews to render HTML, often in ways where you wouldn't even notice it's web content. Apps shouldn't use webviews to render external web sites but nothing in the APIs restrict them from doing so (recent versions of iOS have made it seem like they're heading in that direction but nothing concrete).
Easiest thing would be for Apple and Google to enforce this via denying app approvals. Would be a very interesting fight against apps this popular, though.
Obviously both Android & iOS let you open things in the default browser.
iOS has SFSafariViewController, which more-or-less corresponds to Chrome Custom Tabs on Android. These basically make a browser UI that is in the of the app for the purposes of multitasking/app-switching, but which is controlled by the browser. Devs can't inject code into these.
And both have WebViews, which let the dev do more-or-less whatever they want inside their own app.
And on top of this we are seeing scary trends emerge on TikTok: they are able to mobilize youth into anti-social activities like stealing cars or creating weapons. All they have is a small notice at top of the videos with a disclaimer.
ex) Kiaboyz wreaking havoc in Columbus as videos of stealing Kia/Hyundai cars went viral on TikTok
Suffice to say that the bar isn't very high in America. This type of video would never catch on in places like Japan or Switzerland.
I walked into a shop. They place a bug on me, so they can listen to my conversations in the store, and the store next door if I leave and pop in there. Both conversations about products, and conversations about I am having with my therapist about personal problems. Everything is recorded.
They use it to make their algorithm better, and they'll use it to better target ads. Both of these things are good for me the shopper, so I'm fine with it. If they sell that data to other companies, have their employees LOL at my problems, or secretly pass it on to the police or spy agencies, that is totally cool. Nothing to hide here!
And for those who don't like it, don't shop at this particular store.
I like TikTok, I think that algorithm is toxic and that "better" currently means "more toxic". My simple ask is that I wish we could control it a little better. It sends you down a tree, but I wish we could zoom out, visualize the tree and just pick a different branch to go down.
This was expected and the intention for this invasive spyware is obvious, otherwise, how else is their dystopian recommendation algorithm supposed to work if you don't give access to your entire life records.
The difference is that this was done before by Meta / Facebook and they were fined in the millions, and even by billions by regulators like the FTC over this. This same problems a decade ago are being repeated once again and we have learned nothing.
TikTok should be under the same regulations, especially when they are operating in many countries that have strict data privacy laws and given this unsurprising and extremely invasive data collection practice which is even worse than Facebook, they should be fined in the billions of dollars as a reminder that it applies to any social network, especially those with billions of users.
If left alone, it will only get worse for everyone.
In-app browsers are a huge mess and security/privacy nightmare. Browsers implement a security sandbox. In-app browsers break and circumvent this threat model in nasty ways. I hope this gets the same attention as cross-site scripting (XSS) attacks and browser engines implement strict countermeasures by default locking WebViews to the equivalent of an Incognito/InPrivate tab.
I always hate in app browsers and always reopen them in Safari, for UX reasons. Now I hate them even more, with even stronger reasons.
Yeah - I never want an in-app browser. I wish it could be broadly disabled at least as an option, though I'd be fine with apple just removing the capability entirely.
It's particularly annoying with account cookies and such when I'm already authenticated in the normal browser.
Unfortunately I think they’re very popular with unsophisticated users. I’ve heard stories about companies getting a ton of support emails because someone clicked on an article link shown in $someApp, the user was booted to Safari, and didn’t know how to get back to where they were before.
I’ve heard of developers adding the in-app thing despite hating it personally just to reduce the support burden.
I’m more of GP’s mindset, but I’ve often wondered how many people would become lost the way you describe if my preference was the default. I have the benefit of knowing distinctly when I’m navigating from app to web, but I can relate to being disoriented navigating between different types of views within a given app.
There’s the tiny “back button” in iOS that takes you back to an app which triggered an app context switch, but it’s barely noticeable and barely reachable on most current iPhones. I swipe between apps even when I do notice that. But I’m not sure how widely it’s even known you can swipe between apps.
(For anyone reading who doesn’t know, if you have an iPhone without a home button, you can swipe left/right on the space right at the bottom of your screen, where you normally would swipe up, and it’s like the cmd/alt+tab default. You can also do this on the URL bar in Safari to switch tabs, if you stick with the default bottom URL bar.)
1 reply →
The solution here is for the company to make a proper help page explaining that, then respond to all the support emails with a link to the help page.
No need to poison the well for everybody else due to wanting to avoid a "support burden."
My own product/company has a few common issues like this, and the help page strategy works fine. Answering emails for these types of things is not a big deal as long as you have stock answers/pages prepared.
1 reply →
If you navigate out of an app iOS adds a ‘back’ link on the top left of the screen automatically. This is not going to cause ‘a ton of support emails’; your stories probably are from versions of iOS when they didn’t do that, which is so long ago I couldn’t even find how long.
iOS makes this very easy where every app launching another provides a link in the top left. I find it hard to believe users of tiktok and snapchat with their weird hidden/discoverable functionality of swiping from different places would have issue with the button that says "< snapchat" at the top.
But ok, let's say I am giving too much credit to people. Just put a setting in to use the default browser for those of us that want it?
What really annoys me is that Facebook messenger used to offer an option for how to handle external links, but removed it in favor of one of these in-app browsers.
It’s quite clearly a user hostile decision, but they presumably did it for all that activity tracking they can do.
It seems like there should be a setting to make this the default. Sometimes I'll navigate a bit within the in-app browser after clicking on a link from like Twitter or something, and I'd much rather it pop open Firefox or something that I can actually trust. Now it sounds like Apple and Google should start putting warnings on these things by default, yeesh.
I'd like to add that I haven't been able to find a way to escape the TikTok in-app browser on Android. There are no buttons, not even a URL bar to copy from.
They're going to heavily lockdown WKWebView after the Instagram and Tiktok revelations, probably in iOS16.1. They may even remove it entirely and force people to use SFSafariViewController (heavily locked down web browser, opaque to developers other than URL). Best of luck to anyone that was using javascript injection for legitimate purposes, others have ruined it for everyone by abusing user trust.
I highly doubt this will happen. There are a ton of apps that use things like Cordova or Capacitor (usually for cross-platform purposes).
What I could see them doing is making apps declare URLs that they need access to. Basically, you get full functionality on declared URLs, but if you are just using WebView for a "generic" in-app browser you lose the ability to inspect random pages.
> What I could see them doing is making apps declare URLs that they need access to. Basically, you get full functionality on declared URLs, but if you are just using WebView for a "generic" in-app browser you lose the ability to inspect random pages.
This is exactly what I'm expecting, because that's how they've handled other similar restrictions. Becoming a full on web browser with the iOS 14 web browser entitlement will probably be the only way to not be bound to a list of URLs, and they don't hand that entitlement out willy nilly.
The mechanism you are describing is already implemented and advertised: https://webkit.org/blog/10882/app-bound-domains/
Apple „just“ need to enforce it.
Couldn't you just proxy everything through a host you own?
Wouldn't a simple solution be to require apps that aren't browser to list a limited set of domains they're allowed to access? Then you could use the WkWebKit view for your app but you couldn't use it to allow the user to browse the web.
Browsers would get a pass where Apple would come up with some rule but clearly the Instagram app, the Facebook app, the TikTok app, the Gmail app, the Google app, are not browser where as Firefox, Chrome, Brave are.
iOS already has a method to associate websites with apps but I see some problems with this approach.
1) If you go with the "associated domains only" approach that requires proof of domain ownership(usually through adding TXT into the ZONE files), you lose the category of apps that function by transferring a session of a website into the app to function. This is a popular approach for reader apps that don't have an official official affiliation with the website they interact with or the website doesn't have an API to do direct app connection.
2) If you go with the route of pre-defined domains that might not be associated officially, you fix the problem in the first point but you also create a vector of attack to scoop data from targeted websites. For example you can collect data from reddit, facebook and instagram. 3 websites only but more than enough to cause headaches.
IMHO the proper action would be to put the script injection and data access capability behind a user consent prompt.
"TIKTOK WOULD LIKE TO READ THE AND MODIFY THE CONTENTS OF THIS WEBSITE - ACCEPT/DENY"
For legitimate reasons, the app can inform the user about why they need to do this and the user can accept that and even better, they can implement legitimate APIs.
Yes, please give us more cookie consent banners!
15 replies →
I’m not sure they can.
While SFSafari is a much better choice for what the apps are doing here, WKWeb has legitimate uses.
I suppose Apple could lock it behind an entitlement, but that would take a while as WKWeb is already very prevalent and people won’t replace it on short notice like a point release. Even iOS 17 seems fast.
Plus there is the general power issue. Apple could have done many things over the years to FB (and IG) but they’ve been treating them with kid gloves because those apps are so important. You can definitely add TikTok to that list.
In an app I'm using postMessage and JS injection to communicate between our in-house HTML/CSS content (due to what we're building, we had and still have many legitimate reasons to code that way) to seamlessly integrate the native side and the dynamic HTML views.
Any change would be a huge nightmare for apps like ours, potentially impacting many other apps as well.
Apple started moving in this direction in 2020 with the introduction of App-Bound Domains[0]. These are currently opt in but I have always expected that, just like with the HTTPs adoption, they'll start enforcing this more strictly. With App Bound domains an app specifies ahead of time which domains are app bound and should allow injecting Javascript etc.
I expect app-bound domains to become required for all apps in iOS 16 or possibly iOS 17. There will probably a be a limit and some review on which domains an app specify as app-bound. Web browser that use WKWebView already have a special entitlement that excludes them from this.
0: https://webkit.org/blog/10882/app-bound-domains/
Locking down in-app browsers seems like a reasonable trade-off. Kind of surprised it wasn't the case before, since browser extensions have had site permissions for ages now.
One could just follow what browsers do for extensions: have the developer specify a list of all the hostnames that they want to enable script injection on in a manifest, and ask for permissions at the start. Anything not on the list must be loaded via a sandboxed browser.
Keeps legitimate uses functional while preventing broad script injection.
> They're going to heavily lockdown WKWebView after the Instagram and Tiktok revelations, probably in iOS16.1
are you just making a prediction, or do you have knowledge of this?
Just a guess if I were responsible for making the decision. All these methods will probably disappear or get much tighter on how they can be used: https://developer.apple.com/documentation/webkit/wkuserconte... https://developer.apple.com/documentation/webkit/wkwebview/1...
+1 thanks for the info - it makes sense that Apple would try to mitigate this on their platform.
I use Apple’s new Lockdown Mode on the beta iOS 16 and iPadOS 16. I generally like it. It largely disables arbitrary JavaScript, as far as I know. A few times a week, I will turn off Lockdown temporarily for a few minutes for a web site if there are any problems. This is usually Amazon.com’s Kindle preview feature.
Lockdown mode is a security measure and not a privacy one.
It disables JavaScript JIT compilation, which makes it slower but more secure.
It should not disable any JavaScript execution itself.
Do we know if lockdown’s JS protection applies to apps using WKWebView? That could flat out break a lot of apps.
I thought lockdown mostly applied to system stuff (including Safari).
I hope they leave means of communication available. Something like window.postMessage. Like how Chrome extensions can expose a limited part of the Chrome API to webpages so they can post messages to certain extensions, without needing to inject anything into those webpages.
I hope it gets locked down further just like how Apple introduced App Tracking Transparency, to further reduce and make it harder for data collection like this so that it is not open to abuse, not just this but in all of iOS in general.
Whether if it is collecting biometric data, voice prints, reading the clipboard, collecting information around local network devices and now abusing the in-app browser to further collect user data, the same social networks will try anything to abuse the iOS system to collect as much data as they can.
Given that Facebook did the exact same invasive actions and was fined in the billions, there is enough evidence of these invasive data collection practices that TikTok has done over the years to be worthy of a multi-billion dollar fine.
There is no exceptions, excuses or any room for double standards.
I can’t quite figure this out: it sounds like if you click a link in someone’s TikTok content, the in app browser can read any text entered on that site using the in app browser. Does just not entering any keyboard input in the in app browser mitigate this?
Does Apple Lockdown help in this situation? I thought that typical TikTok use just involved scrolling and watching video content. Are users who only view content subject to this security flaw?
Thanks in advance for any clarification.
Also, off topic but doesn’t YouTube’s “Shorts” take the place of TikTok? I have my Google privacy settings set so YouTube can store my viewing history for one month so I get reasonable recommendations. Does TikTok have similar settings?
They do a lot more than that.
> TikTok iOS subscribes to every tap on any button, link, image or other component on websites rendered inside the TikTok app.
> TikTok iOS uses a JavaScript function to get details about the element the user clicked on, like an image (document.elementFromPoint)
And that's just a sample of the calls the author was able to find.
This seems perfectly reasonable btw. The extension to the in-app browser existing and logging non-tiktok browsing is troublesome.
Perhaps Apple should ban in-app browsers? But what about Safari? Apple itself collects and benefits from Safari data for its ad product
If I build an analytics company and build a product that my customers can use to "analyze" their users activity it'd almost be a total neglect on my end not to include common tracking mechanisms that are well documented like simple event hooks in js. I really don't get the rage against tiktok.
What they do that is publicly known is not bad. Maybe there is something bad they're doing but these random HN top stories are not it. If NSA/US govt really wants us to avoid tiktok it needs better convincing than "omg they're stealing the x,y of your finger when you tap on an image."
18 replies →
Apple exposes two ways to use an in app browser. One is a legacy method that gives you full control, the other gives the user a sandboxed browser with no interference from the app.
TikTok isn't the only app abusing this. Instagram and Facebook will both do sneaky things like respond to the content of the page you're browsing (asking to save passwords in their own private keychain, showing context specific information, etc.)
-
You're not exposed to any of these if you don't open a link inside the in-app browser.
The most common reason to click a link in their in-app browser is an ad... so obviously TikTok, Instagram and Facebook are using the in-app browser to track your interactions after the ad click and sell the data
There is a difference between tracking activities (bad enough) and reading everything you type.
1 reply →
Apple needs to give us power-users the option to decide whether to load such web contents (in apps) in either SFSafariViewController (sandboxed) or WKWebView (fully exposed). This is especially critical when, for example, payment processors load your net banking portal inside apps (a common mode of online payment in India) - unless it is sandboxed, the app and / or payment processor has complete access to your netbanking credentials.
>> Does just not entering any keyboard input in the in app browser mitigate this?
yes but i doubt the hundreds of millions of users, many of which are children, know this
To play devil's advocate... the most common way to end up in the in-app browser is to click an ad.
Non-technical people don't have a concept of "in app browser sandboxing". In their minds they clicked on an ad, they're still inside TikTok, TikTok's UI is showing, TikTok will show prompts based on the content shown... they probably assume TikTok has access to that page?
Honestly I'm more annoyed that Apple allows big apps to use the loophole that is the legacy webview than I am that TikTok uses that webview to do the exact single thing it's good for... having full control over the web content you're showing in app.
7 replies →
The shitty code injected generates a ton of errors. After initially being super annoyed about the noise in our exception reporting, a bright spark observed that it may also be used for detection and user protection, albeit only for our own users.
This is wonderful work you are doing. It has been a joy to follow.
Can websites protect against this through the use of Content Security Policy (CSP) [0]?
[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
It might make it much harder to inject stuff, but since the apps control all aspects of the embedded browser and CSPs are enforced by the browser, they could feasibly just disable CSP enforcement and have the embedded browser ignore the CSP.
I don’t think Apple gives access to the CSP or a choice in obeying it. I’ve been working with WKWebView recently and don’t remember running across it.
Now you could go really far to get around it. Request resources yourself and hand them to WKWebView directly so no CSP is served but that’s not going to be easy. You’d have to scan for any other resources that might get loaded, pull those, inject them correctly, etc.
Seems like it would be very fragile.
1 reply →
Not at the moment. This article from last week when the issue got exposed is arguing for adding it https://news.ycombinator.com/item?id=32418679 * Let websites framebust out of native apps *
CSP protects against an XSS threat model, but once the attacker has control of the browser itself, defeating CSP is trivial since you can just decorate scripts with the nonce string (or equivalent).
On iOS you still don’t control the browser in an app, Apple limits what you’re allowed to do. I’m not sure you can disable CSP. See my reply to your sibling comment.
I'm just curious, there are plenty of 3rd party full-featured browsers based on WKWebView that are injecting tons of JavaScript into all pages and basically doing the same as in-app browsers. So what's the difference?
The article actually mentions those:
> [...] they use JavaScript to offer some of their functionality, like a password manager.
Basically a 3rd-party browser needs to use JS to offer any features or real benefit over simply using Safari. But as a TikTok user you have no benefit when all links open inside the app with tons of custom JS injected that seems to be mainly for tracking you.
Apple and Google have guidelines about what apps are/aren't allowed to if they want to be on their app store.
"Protecting the user" is supposed to be one reasons they take a 30% cut of all in app purchases. Apple even uses this as an excuse to not allow side loading apps.
How are they not blocking this?
Thought Apple was the bastion of consumer privacy. Apparently removing TikTok though is not commercially beneficial for them
not to mention the elephant in the room: Apple Finds Its Next Big Business: Showing Ads on Your iPhone https://www.bloomberg.com/news/newsletters/2022-08-14/apple-...
Apple hashes and sends over wire every bin you run, if that's a 'bastion' then RMS was right.
Ads and tracking aren’t inherently linked, it is possible to have one without the other. That’s allegedly what Apple is doing, so it doesn’t clash with the privacy commitment.
Even so, I disapprove of Apple’s forays into ads and wish them swift and hard failures in the area.
Google isn't blocking this because it would be a silver bullet to FTC for aiding Youtube. Apple isn't blocking this because they are beholden to China.
Is there anything website owners can do about this? I've been many web games, including my own, embedded and surrounded by adverts (see dordle,io, wordle-unlimited,io). Simple permissions like x-frame-options won't work since they're proxying everything onto the same origin. I've thought about checking after a few minutes if the user is on an embeded DOM then asking them to head over to the real site.
No, the browser is the "user agent" and decides what to do. The problem is that in this case TikTok is the browser and does what they want, not what is good for the user.
It is actually quite a hard problem. The App Store does ban third-party browser engines so maybe they can add a restriction that apps can only inject code into verified domains. Surely a few legitimate use cases would be lost (IDK apps that let you annotate websites or something) but it may largely mitigate this issue. Maybe there can be a permission or a review entitlement that allows this for valid use cases (as decided by Apple of course).
Among other things my content blocker for iOS will display a page in a WKWebView they injected scripts into.
It makes it so I can easily select and refine which HTML element I want to add to a custom blocking list.
I think that would be impossible without this.
How long until these apps block the URL 'inappbrowser.com' as malicious so you can't use it to see what the app is doing? :P
Or better, not inject anything when detecting inappbrowser.com
I feel like there is a litany of the internet: "that which can be collected will be." That's been true since the beginning. What continues to surprise me is that people think only "bad guys" do it.
This is why we continue to lock down browsers and provide ever narrower permission classes.
What surprises me is that this is technically possible on iOS.
It’s an abuse of a feature, in a way. There are certainly non-evil use cases for the feature being used here.
But as we know, that which can be used by advertising/tracking people will be used by them.
People only care when "bad guys" do it
That's because only "bad guys" do this. If a "good buy" does this, they automatically become a "bad guy".
I think madrox is referring to 'good guys' as in Western countries vs China etc, not literal good guys and bad guys. That's a fairly common view, regardless of all the actual bad Western country leaderships' conduct.
I think I agree with you here. It's proof by definition.
I hate that if I send Wordle or something cool to a friend that uses localStorage they lose their progress/settings once they leave the chat app.
So frustrating to even explain to people that this thing they are scrolling isn't their own, Safari/Chrome!
It's just another piece in how Apple sabotaged the web.
Since "the web" has become about 7-10 walled gardens for 90% of the public, whether Apple "sabotages" "the web" in allowing these "garden" apps to use their own browsers is hardly any more broken than anything else.
"TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click."
How does Apple even remotely allow this?
They ban apps for the most arbitrary of reasons, I know small devs that get bumped for tiny things.
This is beyond ridiculous.
A company that has ~100M american users, and CCP on the board with a CEO/Board completely and publicly compliant with the 'wishes of the CCP' including reporting any and all sorts of things, is literally able to collect any data including passwords.
WTF.
How is this not a giant story?
How does the US Government not issue an immediate statement/warning to the general public and talk to Apple/Google about this issue?
My gosh.
A keylogger in the browser is a pretty sick violation of privacy.
I think the big question is, what are the event handlers doing exactly? I'm definitely not defending any of these companies but it just seems fundamentally unclear what gets done with the data. The presumption is that the event data is passed to some private storage against users' consent. But for all we know it's also possible there are automated filters in place to detect sensitive information and drop/obfuscate it. Still, I wouldn't count on that.
I will say that it doesn't look great to have a `keypress` listener on the window/document...certainly that's not used for anything good.
For some reason, the phrase "JavaScript commands" stood out to me as being rather awkward. I'd just say "injects JavaScript code" or "injects JS".
We can’t know what TikTok uses the subscription for
According to the code on that page, the function named 'i' needs to be investigated further. It appears to return another function which is then called to process the keypress event.
I'm sure this isn't just iOS. I opened the link on Facebook for Android's browser and got a bunch of script injections...
Off topic, apologies: I read that TikTok contracted with Oracle Cloud to handle computation and data inside the US and do some privacy related data flow checks (not back to China). I wonder how big of a business this is, revenue wise, for Oracle Cloud? I also wonder if anti-TikTok public opinion will rub off on Oracle Cloud?
You can ID users based on the cadence and relative timing between keypresses to identify anyone regardless of their login credentials.
You can also detect bots, even skillfully crafted ones.
Why don't we expand wiretapping laws to this stuff?
The more I read about the massively privacy invading features of TikTok, the gladder I am India banned it.
My question is just, “why do we let everyone ale do this? Why do we only react when it’s a Chinese company doing it?”
There is a call for comment by the fcc right now about how people feel about data collection and surveillance. Please go and send in a comment to regulate these behaviours
To be fair, Facebook and Instagram were caught first, and the news got to the front page last week.
When I used TikTok on Android, it was the most infuriating in-app browser experience because it had no way to open the URL in your real browser. Not even a way to copy the URL to your clipboard. I guess now I understand why
Is it similar to what Meta in Instagram does? [0] - a week ago thread.
[0]: https://news.ycombinator.com/item?id=32415470
Yes and that’s literally the first link in the first sentence in the first paragraph of the article lol
TikTok is no different and is beyond worse than Meta at this point. Whatever Meta is doing doesn't excuse the reasons for this tracking.
Given that Facebook was fined in the billions for this abuse in the past, TikTok should also be fined for this with in the billions of dollars.
We have learned nothing around this and have repeated the same problems in social networks a decade later.
Fines, even that high, do not stop this, as we all see in no change in Meta actions.
Also, cannot avoid thinking that Facebook was accused of (somewhat similar) web site spying long time before Tiktok existed.
You're linking to the same site as the OP. This is the follow up blog.
All my hobby websites I own have all these in-app browsers blocked.
Hm, how does that help the user?
How do the in-app browsers help the user?
2 replies →
I wouldn't be surprised if Apple bans in-app browsers before long and forces all apps to use Safari, which would be a good thing.
This is good. It's the price for using the site. They're not alone!
Can this be circumvented by a very strict Content-Security-Policy?
It’s on the browser to enforce CSP headers. In this case the browser itself is doing the malicious script injection. Think of it as a browser extension, just running without your consent. It’s up to the browser - not the website - to reject it.
TikTok should be banned. India has the right idea. We should align more with them.
Banning it isn't for geopolitical reasons although I think those are valid given the CCP's publicly stated agenda (Global communist revolution essentially. Millions of lives sacrificed for Marx). It's just that one less mind hacking app for children is a good thing. What about FB, Insta who are just as bad etc? Simply doesn't matter. If people left FB for TikTok, and TikTok disappears, some significant % won't come back and that's a win.
Marx wouldn’t approve of some sort of great leap 2.0. CCP sucks, but since World Wars, have you seen the list of countries the US alone has invaded or led coups in? Add in the rest of the west.
It doesn’t matter much what some state’s publicly stated stuff is. There’s no reason to believe any country blindly. Their actions speak louder.
Don't all in-app browsers do this? I think I read that instagram does the same.
No not all of them do this. Yes, Instagram does, as per the chart in the article. The difference is Tiktok forces you to use their in app web view, and does not allow you to use your default browser, where they would not be able to inject their own JS code. Even worse, Tiktok monitors every single key stroke, a key logger in effect, where Instagram does not (according to the authors research).
If you open the article, it compares it to a few apps. TikTok blocks you from opening it in your default browser. The others don't
No, AFAIK not on android. As it uses the default browser, just in webview mode.
iOS and Android both have equivalent "bad" webviews that can be tampered with and "good" webviews that can't. Instagram on Android uses the "bad" one.
Instagram is a spyware company owned by a spyware company
Don’t use tiktok
Trump was right about that
Instagram and Facebook do the same thing.
N wrongs don’t make a right.
not nearly to the same degree
5 replies →
I just don't understand how we can allow a Chinese social media app in the west, while any non-chinese social media apps aren't allowed there?
Same with housing, why can Chinese nationals buy housing here, while I can't do so there?
People are going to reply to you with the usual "we are better than them", "we are a democracy" etc., but reciprocity clauses are very common in areas like international trade, travel, disarmament treaties, emissions control and lots more. In fact China would never have been allowed into the WTO (which happened in 2001) had they not made sweeping changes to their economy and assured the world that they would compete on a fair playing field, rules that they still (mostly) have to follow today. Requiring that American software companies have the same opportunities in China as Chinese ones enjoy in the USA is a perfectly sane position to take. In fact it is the fair and democratic one.
Of course politicians don't really understand tech enough to realize how quickly (and how unfairly) China is growing to dominate the space.
> Same with housing, why can Chinese nationals buy housing here, while I can't do so there?
Housing is a completely different conversation, and the answer there is that existing homeowners would never allow the influx of foreign cash into their local markets to stop, and they are the ones with all the influence in this country, not the renters or aspiring buyers.
"had they not made sweeping changes to their economy and assured the world that they would compete on a fair playing field, rules that they still (mostly) have to follow today. "
This is really quite false.
Rules are broken all the time, they are difficult to arbitrate, and often they are not.
The CCP requires foreign entities to surrender critical IP, then hand it off to a state-backed competitors, they don't allow full ownership of local companies, there's direct political interference including the requirement for all companies to directly hire CCP members as oversight, and if it's important enough, to have the CCP right on the board.
All of this in addition to the death by a thousand cuts the system can make for foreign competitors via local bureaucratic requirements at every level.
This applies not only to commerce but critical institutions such as WHO which are directly compromised by China (i.e. not allowing any material investigation into 'lab leak origins' etc. etc..)
The OP presented the situation very clearly: there is no way in any scenario that China would allow an American company to have a TikTok like app used by large swaths of the Chinese population, controlled by the US.
Neither would Russia.
On some level, that kind of thing is a bit understandable, I don't quite mind if China would not allow 'Facebook' to be the #1 communications tool in China, that said, it should be reciprocal.
And for other things, like high-speed rail etc. China has been grabbing IP using leverage that never should have been allowed.
3 replies →
The wisdom of reciprocity also is older than all governments today.
See Golden rule and Silver rule.
4 replies →
Look, I'm no fan of the Chinese social construct, but in terms of investment and development in an area I've tried to work in for the past 20 years, namely high-tech renewable energy development, the USA has dropped the ball while China has run with it. The US response has been tariffs on Chinese monocrystalline silicon PV panels, in a rather pathetic attempt to prevent them from gaining market share, while promoting nonsense like CdTe panels and so on. GW Bush and Barak Obama blocked DOE money going to renewable R&D just like Reagan, Bush and Clinton did, because the USA is mostly a petro-state economy (just look at CVX and XOM profits recently FFS)..
So China ran away with renewable tech developement because greedy Wall Street executives didn't want competition to their lucrative fossil fuel investments. Fucking retards.
1 reply →
This is why we have fallen a decade behind on semiconductor dominance. the next wars will be won not by who owns the oil, but who owns the semis to drive the robots..
Why is it unfair?
10 replies →
> reciprocity clauses are very common in areas like [...]
Distributing software for you to run on your own hardware is speech, though, and it's protected by the first amendment. You can license the distribution of your own software if you want, but you can't tell me I can't give you software if you want it.
Basically: how do you think this would work, in a way that wouldn't also make Linux or gcc or whatever available only at the whim of the government?
8 replies →
Honestly, this type of discussion is seriously irritating, because it implies that TikTok is doing something unique that other apps aren't doing. Just as the article demonstrates, many western countries do the exact same thing that TikTok does, except TikTok seemingly takes it one step further (probably because of shoddy programming). Applying geographic-based arguments to technology is just a bandaid. The problem needs to be solved in all situations, not just in situations where people aren't politically happy.
Any company injecting keyloggers or monitoring systems into web content should be subject to the same equally damning judgement. Just because it's China doesn't make keylogging bad. Keylogging is bad because keylogging is bad. Companies like Fullstory [0] and Hotjar [1] are used all over the western internet and effectively act as full session recorders. Sure, used well they can be used for analytics, but you could just as easily inject Fullstory or Hotjar into an in-app browser and suddenly record all data a user does. Should this be possible? No. Does it help to just ban China? I mean sure, but why should you be okay with a western company doing it?
TikTok is a short video app used mostly by younger generations. It produces highly accurate recommendations for videos to watch. We're not talking about something like a banking app, a healthcare app, or even a messaging app. It's a video-based social network. There are bigger fish to fry than TikTok in almost every single possible category of app. Yet, TikTok is always brought up because it's from China.
[0]: https://www.fullstory.com/
[1]: https://www.hotjar.com/
TikTok is brought up because it has an insane amount of influence on the culture and identity of a huge swath of people. Do you seriously believe that China, or any country, would not want to leverage such influence to persuade or alter the culture or a potential advisory?
We all shit our pants because Russia used Meta, and American company, to influence the 2020 election. Imagine the same amount of data, a more accurate algorithm, and entirely within the control of foreign actors.
It doesn't matter if it is China or Colombia or Japan, a foreign company have that much influence over the opinions citizens of a country is dangerous.
3 replies →
> TikTok is a short video app used mostly by younger generations. It produces highly accurate recommendations for videos to watch. We're not talking about something like a banking app, a healthcare app, or even a messaging app. It's a video-based social network. There are bigger fish to fry than TikTok in almost every single possible category of app. Yet, TikTok is always brought up because it's from China.
If the leaders in the West weren't concerned about the "average Joe" and their (mis)understandings of politics and situations with complex nuances, then the West would likely be a true Democracy (like ancient Athens, where the People vote on issues such as War and Taxes) instead of a Republic or Democratic Republic (where the People elect a small group to vote on their behalf).
Regardless, I think our Western leaders SHOULD be concerned with the "average Joe" mentality. That includes, by a wide margin, propaganda efforts by other nations.
https://rankingdigitalrights.org/2021/07/14/testing-tiktok-d...
There are _far less_ antisocial practices featured on Chinese TikTok than on Western (specifically American) TikTok. However, the comparison to Instagram and Facebook doesn't differ all that much, so maybe they're simply giving us the content we want.
Money.
And I don't just mean the politicians. I mean downright to the pension funds, hedge funds, and retail investor.
They are all long China and especially Chinese tech. If you start declaring war on Chinese tech you are going to obliterate a huge amount of money all to protect the privacy that US voters don't care about privacy in the least. So why would they do such a silly thing?
National security? Please, the son of a sitting President is a crack user with huge ties to China. Nothing some Tiktor user could divulge through the in app browser could ever compare.
If you want to protect the privacy of users then protect the privacy of users. Protecting the privacy only when China is the one invading privacy is not protecting the privacy of users.
> how we can allow a Chinese social media app in the west, while any non-chinese social media apps aren't allowed there?
Because we are the West, and China is China. We have different laws and customs.
Why does that mean that a Chinese social media app can capture data unlawfully under GDPR, CCPA or or other regulations?
5 replies →
So, I see this bandied about a lot, but I don't see the big deal in being spied on by a government that has 0 say in my entire hemisphere? Like, I have much bigger concerns about spying done on behalf of the five eyes alliance than China (obviously this would be the opposite if I was living in China). What are they going to do with my silly viewing habits, sell my data to advertisers? Well, same deal with youtube, google, fb, insta, whatsapp, etc. I'm not saying you are coming at this from a nationalistic point of view but I get that vibe from the ease of which tiktok is disdained on HN.
And on the merits, it is unhealthy like all social media, but it still feels so much more fun and worthwhile than facebook or insta where everything feels like a competition to have the best life. So much of Tiktok still feels like vine 2.0
> So, I see this bandied about a lot, but I don't see the big deal in being spied on by a government that has 0 say in my entire hemisphere?
You idiot.
All china has to do to have a serious negative impact on our society is give a slight boost to moronic, antisocial content (tide pod challenge or mass robbery anyone?), and a slight penalty to constructive, educational content. It would be basically impossible to detect this.
Remember that this is a country that regularly threatens a war that would likely involve the US.
1 reply →
Besides what's been said already, did you consider that "the west" is a collection of countries from at least 3 continents, wgile China is a single country?
Also the fact that the entire world relies on China is a pretty good place to start.
So, what would be the difference between us and them? There is a reason why our governance is better than them.
Also, if you don't know facebook, instagram also have same issue as tiktok. Maybe government should enforce privacy requirement for all apps including facebook and instagram instead of blanket banning Chinese apps.
Because China is ruled by technocrats who are probably book-smarter than Western politicians.
In the west you typically have to be rich to be a politician, in China you have to be smart, then you get rich(and ban the NYT when your corruption is uncovered).
Lololol techno what which one?
Does it bother the west's rich and/or powerful? If not, it doesn't matter in the West apparently.
China and the West are both controlled by factors not really in line with helping the stereotypical Common Person.
We’re not a dictatorship?
This nutjob honeypot tastes delicious.
Yet
1 reply →
I would zoom out a bit.
For example, when the media in The West "front pages" the smog in Beijing keep in mind The West owns a good part of that. It's not like what's manufactured in China stays in China. I would presume their water ways are nasty as well.
Just one example mind you. The point is, there are other imbalances. That's not to say TikTok should get a free pass, only that it's complicated than an app for app comparison.
Amusingly, TikTok isn't available in China - only DouYin, which is similar but separate.
I'm not 100% sure on this at this point, but I think if Facebook/Google/etc were willing to do the same they would be allowed in China too, but as it stands they can't/won't comply with Chinese law (I may be mistaken on this, haven't read up on the topic in quite some time)
Yeah, and both TikTok and DouYin are owned by ByteDance. In fact didn't Google on occasion create a crippled/censored version of its search for some time in mainland China or Hong Kong or something?
2 replies →
Who cares? This is about privacy and security. Not a “why can’t we do it in your country back to you” argument
Sounds like the opposite of housing from a national security POV. If a Chinese national buys a house in the US, then the US has 'control' over their property. The US would want Chinese nationals to buy houses in the US.
In some countries housing supply is limited and the housing market can be messed with by influx of foreign ownership. Possibly less of an issue with US due to size of the country. Still, I think if someone can buy land here, we should be able to buy land there (within reason)?
2 replies →
There is an interesting meta discussion here but the parent is over-simplifying things.
> How we can allow a Chinese social media app in the west, while any non-Chinese social media apps aren't allowed there?
Easy. The laws are different.
"Non-Chinese social media app"s are not banned in China, just that if you run one it need to be licensed (https://beian.miit.gov.cn/) first before you can start servicing. Licensing is difficult since there's requirements about keeping data domestic, having physical presence should legal enforcement be necessary (i.e. there are people to arrest if something goes wrong), and complying with takedown requests (both copyright and political). Western big tech companies (rightfully) do not want to comply, so they do not get licenses, and thus have no presence. Attempting to "just provide service" without a license will result in blacklisting via the GFW as enforcement.
"Allow a Chinese social media app in the west" -- this is also more complex. If TikTok or friends violate laws in the west they are also liable for any punishment. For example, TikTok and WeChat comply with the GDPR in Europe and keep EU data local to the EU. If they didn't they'd be looking at a potentially huge fine and possibly getting banned. Similarly they also comply with copyright stuff like DMCAs. If they didn't, the FBI can seize their domain and compel ISPs to not resolve it just like the GFW (this has precedent and has been done before).
So the meta question becomes: Are the current protections in the west sufficient? To which the answer is probably no.
But in any case, in the free world, whether a Chinese social media app's presence is allowed to be maintained should not be dictated by ideology, but rather through real demonstrated evidence of misbehavior and/or harm (which is why research like this is important).
I appreciate your thoughtful response. I think that Chinese apps should at least be held to the same standards, as they are there, and I think it's reasonable to assume that they currently aren't.
The thing is, and I don't believe this to be controversial, that China has built a digital database of all (or most) of its citizens based on the data they collected. Now the question is, do they stop there, or do they have a file on all of us? The technology is cheap, and I think based on video data etc that they collect through apps like this, they might well build a social graph of the rest of the world (i.e. who does exist, what are their interests/beliefs/political affiliations, and what are the relations between those entities.)
The repercussions of using such apps might be, that they have info on citizens in the rest of the world, which might allow them to nudge people into giving into their political goals (this has already been happening after people posted stuff critical of China on sites like Twitter) - and I think that we have to ask ourselves how that could threaten our democracy.
3 replies →
What I don't understand is why Google has let YouTube become one big advertisement for TikTok. Every video I watch on YouTube is preceded by a TikTok ad.
> why can [XXX] nationals buy housing here, while I can't do so there?
Simply because when XXX nationals come with all cash offers and willing to pay above market & waive all contingencies, sellers are willing to sell.
It just so happens that certain nationals are more prone to having that sort of money than others.
No, it isn't about people being more prone to buy property in one place, rather than another. Let x be a any number in [0, infty), I literally can not buy property in China for any x.
3 replies →
All of this. And, to be clear, much of that home purchasing is for investment purposes (vs simply Chinese nationals with residences here).
And, don't forget farmland.
Seems we'll look back on all of this at some point and decide maybe it wasn't the best idea.
> Seems we'll look back on all of this at some point and decide maybe it wasn't the best idea.
If that happens, I imagine our Congress will brew up some justification for seizing all that Chinese owned property.
Because of unfortunate politics - young people are thriving on TikTok so all discussions on limiting the platform under Trump were reasonably responded to with outcries about censorship. I think it's possible some change could happen under the current administration's watch (since it wouldn't be viewed as a free-speech crackdown) but there doesn't seem to be much interest now that it's just about security and not also about punishing your political opponents.
Because west operate under different systems. West has for while being about free trade free market global capitalism. Where as China is using much more controlled approach.
Fundamentally west can't get too faraway from these ideals or it will end up destroying its hegemony. Huawei has already been banned, but what comes after social media? And if some action is taken, will other countries start banning western imports specially cultural and services?
The corporations that control our government depend on China’s cheap labor. It’s as simple as that.
I can’t understand how we allowed every industry to wholesale migrate to China and write off every manufacturing method and trade secret.
The answer both of our questions is of course money. Our version of capitalism is dominated by cult-like disciples of financial management principles.
If the US fucks with TikTok, well maybe they’ll mess with Office 365.
If non-Chinese companies are willing to abide by Chinese laws (including those about censorship, etc.), they'll be able to operate in China. Chinese social media apps abide by US regulations around social media and private surveillance, which are almost nonexistent, so they can operate in the US.
The only way to prevent this is to create laws specifically targeting the Chinese for being Chinese, because 1) the chance for domestic regulation on social media and surveillance is very low, and 2) any regulation we're likely to pass would be about "spreading misinformation" and "foreign interference," so would probably end up closely resembling Chinese regulations.
Well, it's gonna cost me many downvotes, but this needs to be said. CCP has a tight grip on many US officials. The two publicly known cases are Pelosi's son and Biden's son, who are prominent investors, board members even, in chinese companies. That's public knowledge, but I bet it's the tip of the iceberg.
Trump tried to ban TikTok (and quite a lot more), but he’s orange and bad, so Biden repealed it. And tariffs are racist, so there’s that. America is not functioning well at this point and nothing indicates it will improve.
What happened to free speech being the bastion of America and the only thing that can counter misinformation and propaganda?
Suddenly doesn't seem to work so well when a Chinese app is granted that privilege.
Stealing information without user permission is not free speech.
5 replies →
How is stealing users credit card information and all keystrokes free speech again ?
2 replies →
Because only US can buy cheap goods and services from the world with printed paper called dollars.
It's amazing. Tiktok has been HN's darling for the longest.
We must be on different HNs because every time I see Tiktok brought up a bunch of people complain about privacy and the culture on the platform.
1 reply →
Because the opposite would be considered racism and xenophobia.
Because it’s a sovereign country that makes its own rules? So, basically the same reason that you can’t just move to Italy because you feel like it.
As a matter of fact, I can, as a European citizen (basically)[0].
[0] https://www.unipi.it/index.php/welcome-and-support/item/7413...
And what is wrong with sovereign countries adopting reciprocal policies, as OP proposed?
So uh - how is that Great Firewall thing in China legal then?
Trade limitations have always and will always exist. Heck there are hundreds of limitations in trade between the US and Canada - including the complete illegality of Kinder Eggs in the US, which I still find hilarious.
So let me get this straight:
If I click a link inside the Instagram app, that for whatever reason takes me to gmail or microsoft or wherever that requires authentication, and I decide to login on that page so I can view the link in question, Meta and TikTok are able to capture my credentials and ingest the data back in to their metrics and analytics pipelines?
Is that even f*cking legal?
Everything is legal until it is explicitly made illegal. And I can assure you no US politician can understand more than 3 words in that paragraph you wrote, let alone make laws to regulate it.
Eavesdropping on electronic conversations where both parties have a reasonable expectation of privacy is illegal in many jurisdictions already.
3 replies →
This exchange. Mind-numbing
https://youtu.be/t-lMIGV-dUI
Hasn't stopped them in the past, usually completely ineffectively.
For what it's worth, Google doesn't allow you to log into your Google Account in a in-app browser for this exact reason... unless you enable some "Insecure App" settings in Google Admin settings.
I’ve always wondered how Google enforces this as a technical level. Wouldn’t it be easy to spin up an in-app browser that looks and feels just like a regular browser? How does one detect via JS (or other means) if it’s an in-app browser?
If you use the platform, you've expressly agreed to this behavior. You can't create an account without affirming that you read and agreed to their policies and terms of use.
Instagram's privacy policy: https://privacycenter.instagram.com/policy/
>We call all of the things you can do on our Products "activity." We collect your activity across our Products and information you provide, such as: [...] Apps and features you use, and what actions you take in them.
Tiktok's USA privacy policy: https://www.tiktok.com/legal/privacy-policy-us
>We collect information when you create an account or use the Platform. We also collect information you share with us from third-party social network providers, and technical and behavioral information about your use of the Platform. [...]
>We may collect information about you from third-party services, such as advertising partners, data providers, and analytics providers.
Aren't EULAs fun?
Hey don't even worry about it, just look at this hilarious picture of a kitten instead
Can they really though?
I mean, this is literally XSS. And it's not just Facebook and Tiktok, unless this is a private API scummy apps can and are (I guarantee) doing this to steal user passwords and bank credentials. Your average person already needs to know that they can't type in their credentials unless the URL says facebook.com, now they also need to check the app is Safari. And you may not even need to enter credentials, a malicious app could just load my-bank.com and extract the cookies or local storage or send API requests.
If true...wow. That's a massive security oversight. But it seems to massive I'm not 100% convinced. Especially because websites are tightly sandboxed from other websites and apps are tightly sandboxed from other apps. Yeah you could in theory re-implement your own web browser in your app which looks and acts like Safari, but in practice Apple technically forbids other web-views, and it's really hard to fully implement a web browser and not make it immediately apparent anyways.
We'll find out soon enough, but no existing law covers it so clearly that it can be decided with certainty without a judge's imprint.
You're surprised?
Those were never trustworthy.
Why on earth is this even allowed in IOS in the first place ? Why do apps have the ability to control and change the browser? Instead of using the default one? Like android.
These same tools are what allow you to build and ship fully JS based apps on iOS instead of having to use Swift or Objective-C or anything like that. Arbitrary web views can be an entire app. Or they can reinvent the wheel and become in-app browsers. A lot of apps are fully or partially web based. Even Apple’s own apps use web views in crazy ways. For example, the entire Mac App Store used to be a web view. Parts of macOS system preferences are web views. It’s just that because they’re web views, if you slap browser-like chrome on them and send them to the internet, they also work as web browsers.
All of that is totally fine and not what people are upset about. If your entire app is just a web browser that renders your website, that should be fine too.
The problem is when they render external websites and unsuspecting users think they are using the phone's web browser. That is something Apple/Google can have rules about without banning/restricting web views.
It's the in-app browser. The one that opens within the app, so that people don't need to switch to another app, and usually used for short-lived sessions. It doesn't modify or spy on the actual separate browser (Safari etc), just on whatever happens inside the app (as you would expect, app knows what's going on within itself), and it just so happens that sometimes in the app there is a browser page being displayed, which then goes to reason can also be spied on.
Android has these in-app browsers too, they may or may not be subject to this.
AFAIK Android in app browsers are just a different look for the default browser, I think its called WebView.
I assure you Android is capable of the exact same thing.
A lot of apps use webviews to render HTML, often in ways where you wouldn't even notice it's web content. Apps shouldn't use webviews to render external web sites but nothing in the APIs restrict them from doing so (recent versions of iOS have made it seem like they're heading in that direction but nothing concrete).
Easiest thing would be for Apple and Google to enforce this via denying app approvals. Would be a very interesting fight against apps this popular, though.
Android is in basically the same situation.
Obviously both Android & iOS let you open things in the default browser.
iOS has SFSafariViewController, which more-or-less corresponds to Chrome Custom Tabs on Android. These basically make a browser UI that is in the of the app for the purposes of multitasking/app-switching, but which is controlled by the browser. Devs can't inject code into these.
And both have WebViews, which let the dev do more-or-less whatever they want inside their own app.
I haven't seen any app to use webview for external links, it always use chrome custom tabs.
If anybody else would do this, the app would be taken down immediately from the App Store.
Probably the developer account banned too.
It is Spyware. Nothing else.
Is this the exact type of security Apple is supposed to be protecting its customers from?
I trust TikTok over FB or Twitter any day of the week
Oh wow, a Chinese military psyop on the West is keylogging everyone? Really? Gee wilikers what a shocker.
/s
Noooo waaaaayyyy, a social media product is doing something dystopian and surveillance-ish!!! /s
I’m glad it’s reported on, but it’s almost uninteresting hearing the the same plot line over and over.
Who ever still using tiktok is surrender their humanity:
Fed manufactured content with artificial mental stimulus
Privacy got infringed in every second
And on top of this we are seeing scary trends emerge on TikTok: they are able to mobilize youth into anti-social activities like stealing cars or creating weapons. All they have is a small notice at top of the videos with a disclaimer.
ex) Kiaboyz wreaking havoc in Columbus as videos of stealing Kia/Hyundai cars went viral on TikTok
Suffice to say that the bar isn't very high in America. This type of video would never catch on in places like Japan or Switzerland.
That's a problem of social media a such. Remember the Tide Pod challenge?
Was anyone expecting otherwise?
They'll use it to make their algorithm better, and they'll use it to better target ads.
Both of those things are good for me the user, so I'm fine with it.
And for those who don't like that, use a blocker, or don't use TikTok.
I walked into a shop. They place a bug on me, so they can listen to my conversations in the store, and the store next door if I leave and pop in there. Both conversations about products, and conversations about I am having with my therapist about personal problems. Everything is recorded.
They use it to make their algorithm better, and they'll use it to better target ads. Both of these things are good for me the shopper, so I'm fine with it. If they sell that data to other companies, have their employees LOL at my problems, or secretly pass it on to the police or spy agencies, that is totally cool. Nothing to hide here!
And for those who don't like it, don't shop at this particular store.
I like TikTok, I think that algorithm is toxic and that "better" currently means "more toxic". My simple ask is that I wish we could control it a little better. It sends you down a tree, but I wish we could zoom out, visualize the tree and just pick a different branch to go down.
They’re not going to do that because they don’t want you going down a different branch that will lead to lower engagement metrics for them.
The product/feature you're describing will never be implemented in their spyware.
What incentive do they have to satisfy this feature request?
3 replies →
This was expected and the intention for this invasive spyware is obvious, otherwise, how else is their dystopian recommendation algorithm supposed to work if you don't give access to your entire life records.
The difference is that this was done before by Meta / Facebook and they were fined in the millions, and even by billions by regulators like the FTC over this. This same problems a decade ago are being repeated once again and we have learned nothing.
TikTok should be under the same regulations, especially when they are operating in many countries that have strict data privacy laws and given this unsurprising and extremely invasive data collection practice which is even worse than Facebook, they should be fined in the billions of dollars as a reminder that it applies to any social network, especially those with billions of users.
If left alone, it will only get worse for everyone.
That's great if it's something you want. What happened to getting consent? All of these "features" should be opt-in.