TikTok can track users’ screen taps when they visit other sites via its iOS app, new research reveals.

The video sharing platform executes code that allows it to observe the input of text input, such as credit card information and passwords, during ‘in-app browsing’.

This is when the user opens a third-party site within TikTok, as opposed to another browser such as Safari or Google Chrome.

Software Engineer Felix Krause reported his findings last week, after analyzing the JavaScript code, social media apps run when a user opens a website link inside.

He tweeted: “When opening a website from the TikTok iOS app, they inject code that can detect any keyboard input (including credit card details, passwords or other sensitive information)

TikTok also has code to observe all taps, such as button or link clicks.

In the report, he added, “We don’t know what TikTok uses the subscription for, but technically it’s the equivalent of installing a keylogger on third-party websites.”

TikTok is running code that can track users’ screen taps when they visit other sites via its iOS app, new research reveals. The video sharing platform can observe the input of text input such as credit card information and passwords during ‘in-app browsing’

The engineer has created a security tool, InAppBrowser.com, that lists the JavaScript commands an iOS app executes when it opens the site.

It shows that when browsing a third-party site within TikTok on an Apple device, it has the ability to monitor all keystrokes, text input, and screen taps.

However, this does not mean that the app, or its Chinese parent company ByteDance, is overseeing it unnecessarily.

Mr. Krause wrote, “Just because an app injects JavaScript into external websites doesn’t mean the app is doing anything malicious.

“We have no way of knowing the full details of what kind of data each in-app browser collects, or how and whether the data is transferred or used.

“This publication lists the JavaScript commands executed by each app, and also describes the effect each of those commands could have.”

A TikTok spokesperson told Guardian Australia the conclusions of the report on TikTok are inaccurate and misleading.

The researcher specifically says that the JavaScript code doesn’t mean our app is doing anything malicious, and admits they can’t know what kind of data our in-app browser collects.

“Contrary to what the report claims, we do not collect keystrokes or text input via this code, which is used solely for debugging, troubleshooting, and performance monitoring.”

Software engineer Felix Krause created a security tool, InAppBrowser.com, that lists the JavaScript commands an iOS app executes when it opens the site. It shows that when browsing a third-party site within TikTok on an Apple device, it has the ability to monitor all keystrokes, text input, and screen taps

A TikTok spokesperson told Guardian Australia: “Contrary to what the report claims, we do not collect keystrokes or text input via this code, which is used solely for debugging, troubleshooting and performance monitoring.”

WHAT DATA CAN TIKTOK COLLECT WHEN IN-APP BROWS? Keyboard input – for example entered passwords or credit card information.

Screen taps – for example, when you click buttons, images, or links.

Details about the element you clicked on – eg images.

Mr. Krause also tested the ability of other popular iOS apps to collect data from users’ taps when they access a third-party website.

This included Instagram, Facebook, Facebook Messenger, Amazon, Snapchat and Robinhood.

While TikTok had the most extensive monitoring capabilities, Instagram, Facebook, and Facebook Messenger had a similar number.

However, TikTok is the only app that does not offer the option to open the third-party site in the default browser while browsing the app.

The software engineer wrote, “There are data privacy and integrity issues when using in-app browsers…like how Instagram and TikTok show all external websites in their app,

“Their primary motivation is almost purely commercial and financial, while at TikTok there is an element of national security that I don’t think is directly present with the others.”

The popularity of TikTok’s app among children as young as 12 years old means that users are probably unaware of the risks of surveillance and data collection.

In June, Buzzfeed news reported that leaked recordings of more than 80 internal meetings reveal that China-based TikTok employees have repeatedly accessed US user data.

A TikTok spokesperson told Guardian Australia: “The researcher specifically says the JavaScript code doesn’t mean our app is doing anything malicious, and admits they have no way of knowing what kind of data our in-app browser collects.” They also tweeted from their official Twitter account to label the report’s claims as “false and misleading.”

Instagram was also found to have the ability to track screen taps, including on images, links, and text input, on third-party websites displayed in the app.

That says a spokesperson for Instagram’s parent company, Meta Guardian Australia that “in-app web browsers are common across the industry.”

They said, “At Meta, we use in-app browsers to enable safe, convenient and reliable experiences, such as ensuring that autocomplete is completed correctly or preventing people from being redirected to malicious sites.

‘Adding any of these functions requires additional code. We’ve carefully designed these experiences to respect users’ privacy choices, including how data may be used for advertising.”