Thanks to a simple computer code, these applications can have control of sensitive data, such as passwords, personal information or even banking information.
Applications such as TikTok, Instagram or even Facebook siphon off an amount of data that is sometimes unimaginable for the simple user. Engineer Felix Krause, who had looked into these practices at Meta, described a similar process on the Chinese application TikTok, in a blog post published on August 18.
When a user clicks on a link on TikTok, the application will send the request to a “home” browser, so other than Google Chrome or Safari, for example. There, the application will inject a computer code to collect information related to the user.
This process is done by means of a “pixel”, a computer code regularly used by digital platforms to “identify user preferences” – in other words, to track their every move. It is also used by Meta’s social networks.
All Saved Searches
As soon as the user uses this system, all his searches will be recorded, via the actions carried out on the keyboard. The application will then be able to collect the searches carried out, but not only: passwords, credit card code, or any other sensitive data.
For example, it is possible to see on TikTok creators or even artists, who offer the link of their online store on their profile. As soon as a user clicks on this link, he is redirected, by means of the “home” browser of the application, to the website of this store. There, the articles that the user will consult, the purchases that he may possibly make can be recorded by the application.
The vice doesn’t stop there: TikTok also has a code to record other user actions, such as clicking on a link, using the “Like” buttons, share posts, etc.
Same at Meta
The engineer Felix Krause had already denounced a similar process in the social networks of Meta. On Instagram, or Facebook, same story: the code injected by the application leaves no room for discretion for the user.
It should be noted, however, that TikTok offers to perform its search on another browser, such as Safari from the iOS application, as identified by a user.
An alternative that seems preferable, in a context where the Chinese application is regularly scrutinized for its links with the Chinese Communist Party, to which it is suspected of sending the user data it collects.
If the application has regularly defended itself from such practices, its parent company maintains vague links with the government in power.
However, the engineer points out that despite the presence of these codes, it is impossible to know the real extent of the data collection, nor the use made of it.
“The fact that an application injects code into external websites does not mean that it engages in malicious practices. There is no way for us to know the full details of these collections, or how the data is transferred and used. This publication is simply intended to show how this process works, and to detail the effects it could have, “says the engineer.
Other practices are safer
On the other hand, however, Krause highlights more “secure” applications, which do not maintain these sensitive practices for user privacy. This is particularly the case of Twitter, YouTube, or Telegram, for example.
In this list, the applications attached to the expression “Default browser” will switch the user to the browser he uses by default. These are iOS applications, so they can only be used on Apple products. The applications followed by the expression “SFSafariViewController” switch to Safari, Apple’s browser.