Comment by mark_l_watson
4 years ago
I can’t quite figure this out: it sounds like if you click a link in someone’s TikTok content, the in app browser can read any text entered on that site using the in app browser. Does just not entering any keyboard input in the in app browser mitigate this?
Does Apple Lockdown help in this situation? I thought that typical TikTok use just involved scrolling and watching video content. Are users who only view content subject to this security flaw?
Thanks in advance for any clarification.
Also, off topic but doesn’t YouTube’s “Shorts” take the place of TikTok? I have my Google privacy settings set so YouTube can store my viewing history for one month so I get reasonable recommendations. Does TikTok have similar settings?
They do a lot more than that.
> TikTok iOS subscribes to every tap on any button, link, image or other component on websites rendered inside the TikTok app.
> TikTok iOS uses a JavaScript function to get details about the element the user clicked on, like an image (document.elementFromPoint)
And that's just a sample of the calls the author was able to find.
This seems perfectly reasonable btw. The extension to the in-app browser existing and logging non-tiktok browsing is troublesome.
Perhaps Apple should ban in-app browsers? But what about Safari? Apple itself collects and benefits from Safari data for its ad product
If I build an analytics company and build a product that my customers can use to "analyze" their users activity it'd almost be a total neglect on my end not to include common tracking mechanisms that are well documented like simple event hooks in js. I really don't get the rage against tiktok.
What they do that is publicly known is not bad. Maybe there is something bad they're doing but these random HN top stories are not it. If NSA/US govt really wants us to avoid tiktok it needs better convincing than "omg they're stealing the x,y of your finger when you tap on an image."
You're writing as if this is just analytics tracking a user's actions in their own UI. It's not! This is tracking actions users take, and data users enter, on 3rd-party websites.
That is not "what happens in Tiktok's app," as you put it in your reply. It may be hosted "in" the app in a technical sense, but the typical user who is fullscreen viewing a totally different website may not feel like they are "in" the app at all. I wouldn't bet that most users even get that there's a distinction between an in-app browser vs. opening a tab in the main OS browser (on Android at least, the back gesture takes you back to the app either way). Users almost certainly doesn't expect the original app to be able to read passwords and other text that they type on those 3rd-party sites.
2 replies →
If you sold a phone that sent call details back to the manufacturer you’d likely get locked up.
Tik tok are not a party to these communications, and they’re not a carrier or service provider. What they’re doing is wire tapping.
14 replies →
Apple exposes two ways to use an in app browser. One is a legacy method that gives you full control, the other gives the user a sandboxed browser with no interference from the app.
TikTok isn't the only app abusing this. Instagram and Facebook will both do sneaky things like respond to the content of the page you're browsing (asking to save passwords in their own private keychain, showing context specific information, etc.)
-
You're not exposed to any of these if you don't open a link inside the in-app browser.
The most common reason to click a link in their in-app browser is an ad... so obviously TikTok, Instagram and Facebook are using the in-app browser to track your interactions after the ad click and sell the data
There is a difference between tracking activities (bad enough) and reading everything you type.
People really want to force outrage on this, but after enough interaction with the ad (scrolling, clicking, typing) TikTok asks about your experience with the ad.
TikTok is not pretending to have opened your system browser, it goes very far in doing the opposite:
- Hides the normal browser UI
- Replaces every page load with a TikTok spinner
- Permanently places a TikTok header bar over the screen with a report content button tied to TikTok
Combine that with the fact so many people seem to not realize... the only links you can open with the browser are links sold with analytics (ie you can't post arbitrary links as a user commenting) and the outrage just doesn't add up.
A completely non-technical user going through that flow would expect that they're still in TikTok and are using TikTok not their browser
Apple needs to give us power-users the option to decide whether to load such web contents (in apps) in either SFSafariViewController (sandboxed) or WKWebView (fully exposed). This is especially critical when, for example, payment processors load your net banking portal inside apps (a common mode of online payment in India) - unless it is sandboxed, the app and / or payment processor has complete access to your netbanking credentials.
>> Does just not entering any keyboard input in the in app browser mitigate this?
yes but i doubt the hundreds of millions of users, many of which are children, know this
To play devil's advocate... the most common way to end up in the in-app browser is to click an ad.
Non-technical people don't have a concept of "in app browser sandboxing". In their minds they clicked on an ad, they're still inside TikTok, TikTok's UI is showing, TikTok will show prompts based on the content shown... they probably assume TikTok has access to that page?
Honestly I'm more annoyed that Apple allows big apps to use the loophole that is the legacy webview than I am that TikTok uses that webview to do the exact single thing it's good for... having full control over the web content you're showing in app.
How do you know that's the most common way?
Because I doubt it is. People click links in chats and in their feeds way more than they click ads
6 replies →