TikTok’s Tracking Revelations Reveal the Need for In-App Browsing Security

If you’ve taken a look at social media in the past few days, you’ve likely seen that TikTok is embroiled in yet another security and privacy scandal of its own making. Software engineer and security researcher Felix Krause has revealed that TikTok — along with Facebook and Instagram — are employing embedded JavaScript code that allows the companies to track every keystroke, tap, and other end-user input while visiting third-party websites through the app. 

While TikTok has acknowledged the features’ presence in an interview with Forbes, they claim to not be currently using them. Even so, the capabilities are beyond concerning — opening up the possibility for harvesting users’ login credentials, credit card details, and other sensitive information. 

In addition to his report, Krause has also launched a new website, InAppBrowser.com, which allows users to uncover what JavaScript commands are being injected through their in-app browser in real time.

What is In-App Browsing? 

If you’ve ever clicked on a link or downloaded a file while using TikTok, Facebook, Instagram, Slack, or any other number of applications, you’ve likely found yourself in the act of in-app browsing. Rather than launching a separate, dedicated web browser — such as Chrome or Safari — many applications employ what is called an in-app browser to access web content. These pared-down web browsers are ostensibly employed to streamline functionality and avoid disruption to the user experience. 

But, as these new revelations seem to suggest, there is likely some significant benefit to the companies employing them as well. With ad revenue making up the lion’s share of these companies’ revenues, it’s not hard to imagine how first-party tracking data of this nature might play into their overall ad targeting initiatives. 

The Security Implications of In-App Browsing

While concerns around privacy remain largely speculative as it relates to in-app browsing, the concerns around security are undeniable. When browsing in-app, users remain vulnerable to a wide host of threats, including phishing, cross-site scripting (XSS), malicious JavaScript, and more. 

To make matters worse, most secure browsing solutions on the market today leave this swathe of the web browsing attack surface entirely unprotected. Prevailing secure browsing solutions have no way of addressing the vast assortment of threats posed by in-app browsing on mobile and desktop devices.

Taking Secure Browsing Beyond the Browser with Red Access

The act of web browsing has been decoupled from web browsers themselves for years now.  Even with desktop apps like Dropbox and Slack, the moment a user clicks on a link or downloads a file within them, they’ve effectively moved the act of web browsing beyond the purview of the browser itself. 

This is where Red Access comes in. The first secure browsing solution to cover the entire browsing attack surface — in-app, across any browser, any native cloud and any dev app. Red Access ensures end-users are protected against the full suite of modern threats in browsing, files, identity and data, wherever they choose to browse.

Our agentless, SaaS-based platform enables full control and visibility across any browser, app, or device with zero disruption to the user experience. 

Conclusion

With privacy concerns on the rise, and new zero-day vulnerabilities being exposed by the day, it’s imperative that organizations rethink secure browsing in a way that is consistent with today’s threat landscape. 

Web browsing isn’t confined to the web browser anymore. And with the number of browsing-enabled mobile and desktop applications on the rise, the world is in desperate need of a secure browsing solution that goes beyond the browser. 

Want to see Red Access in action? Start your free trial today.

By Dor Zvi, CEO & Co-Founder of Red Access