Comment by BoorishBears

4 years ago

Apple exposes two ways to use an in app browser. One is a legacy method that gives you full control, the other gives the user a sandboxed browser with no interference from the app.

TikTok isn't the only app abusing this. Instagram and Facebook will both do sneaky things like respond to the content of the page you're browsing (asking to save passwords in their own private keychain, showing context specific information, etc.)

-

You're not exposed to any of these if you don't open a link inside the in-app browser.

The most common reason to click a link in their in-app browser is an ad... so obviously TikTok, Instagram and Facebook are using the in-app browser to track your interactions after the ad click and sell the data

3 comments

BoorishBears

Reply
hef19898  4 years ago

There is a difference between tracking activities (bad enough) and reading everything you type.

  • BoorishBears  4 years ago

    People really want to force outrage on this, but after enough interaction with the ad (scrolling, clicking, typing) TikTok asks about your experience with the ad.

    TikTok is not pretending to have opened your system browser, it goes very far in doing the opposite:

    - Hides the normal browser UI

    - Replaces every page load with a TikTok spinner

    - Permanently places a TikTok header bar over the screen with a report content button tied to TikTok

    Combine that with the fact so many people seem to not realize... the only links you can open with the browser are links sold with analytics (ie you can't post arbitrary links as a user commenting) and the outrage just doesn't add up.

    A completely non-technical user going through that flow would expect that they're still in TikTok and are using TikTok not their browser

webmobdev  4 years ago

Apple needs to give us power-users the option to decide whether to load such web contents (in apps) in either SFSafariViewController (sandboxed) or WKWebView (fully exposed). This is especially critical when, for example, payment processors load your net banking portal inside apps (a common mode of online payment in India) - unless it is sandboxed, the app and / or payment processor has complete access to your netbanking credentials.