Photo Credit: Shutterstock
Almost every month, it seems like there’s a new scandal or controversy swirling around TikTok. The latest controversy concerns a potential security flaw within the TikTok app that could enable TikTok to spy on users. Of course, TikTok denies it, and there’s been a lot of back-and-forth about the real vs. perceived risk posed by this feature. Maybe it’s being over-hyped, but one thing is for sure: there have been so many of these security flaws, loopholes and backdoors discovered over the years that it is almost impossible to conclude that TikTok is completely innocent.
Details of the new security flaw
The controversy started when a former Google and Twitter employee detailed a potential security flaw within the TikTok app. As described by the developer, clicking on any link within the TikTok app automatically launches an in-app browser (not a browser like Safari or Chrome). Apparently, once the in-app browser is activated, that’s when it becomes possible for TikTok to record all keystrokes made by a user. It would be tantamount to installing a keystroke logger on a third-party website.
According to the developer, this security flaw means that TikTok could spy on a user if it chose (or was told to by a third-party in China). They could spy on passwords and usernames, and could record all keystrokes made by a user. And, even worse, they could relay all of this information and data to intelligence agencies in Communist China. And you wouldn’t even know it’s happening.
TikTok, for its part, says this feature has been completely blown out of proportion. For one, it doesn’t record keystrokes or any sensitive information. Any information and data that it collects is purely for debugging or troubleshooting purposes. It’s all about making the performance of the app even better than it already is. TikTok says that the developer sharing details of the supposed security flaw online just makes it sound worse than it really is.
Should the onus be on users or on TikTok?
Some have suggested that users should have the power to disable in-app browsers, which have proven to be more of a security risk than third-party browsers. When signing into their smartphone devices, for example, users might be able to check a box that says, “Disable in-app browser,” the same way that they can now ask apps to please stop tracking them when they are not using the app.
This solution, if you want to call it that, seems to place the onus on the user and not on the tech company. It’s basically the same solution we got with browser cookies. Anytime we visit a website these days, we get hit with a barrage of pop-up screens, asking us if we want to accept cookies, and if we do, what kinds of cookies we’d like to enable. If you’re like most people, you just click “yes” so that you can read what you want to read and move on.
At the end of the day, we have to ask why the code is even there in the first place. We can give TikTok the benefit of the doubt (yet again) and assume that it is not being used for nefarious purposes. It may be there, as they say, just for debugging and troubleshooting purposes. But at some point, you have to ask: How many times does this have to occur before it is no longer just a coincidence?