And as if all this wasn’t concerning enough, Krause wrote that these apps have the capacity to hide their JavaScript using already established iOS tools, namely a WKContentWorld code so that websites can’t interfere with JavaScript code. If any of these companies wanted to hide their activity from websites or the researcher’s tools, they could, and pretty easily at that.


“Tech companies that still use custom in-app browsers will very quickly update to use the new WKContentWorld isolated JavaScript system, so their code becomes undetectable to us,” Krause wrote in his blog post.

Apple did not immediately respond to Gizmodo’s request for comment whether they would change any of its iOS features to restrict apps from including keylogging script or otherwise stop apps from hiding the fact they were running such code.


TikTok has already taken massive amounts of heat from proponents of internet privacy and from lawmakers on both sides of the aisle (though, as you can expect, it’s for different reasons) after reports alleged TikTok staff were aware that U.S. data was being collected by Chinese government officials. A recent report from Gizmodo based on internal documents showed TikTok has been working overtime to downplay their new identity as the company that offers up user data to the giant data-collecting maw that is Beijing. Lawmakers on Capitol Hill could be on the verge of passing a massive data privacy law, but some are skeptical it will pass before deadlines close in.

“In the future we’re going to see privacy legislation and more auditing legislation to verify this,” Lightman said. “Within a verified platform, if they’re doing it for economic reasons, they have to stipulate that, if they’re doing it for user experience, that’s fine too. It’s being opaque with the rationality that gets people to say ‘wait a minute…’ You have to be open with what your plans are.”