June 28, 2020

More on TikTok…

I found this on slashdot. If you don’t read slashdot, you are missing out. The comments have been known to make my coffee flow out of my nose. The original article was posted on reddit.

So I can personally weigh in on this. I reverse-engineered the app, and feel confident in stating that I have a very strong understanding for how the app operates (or at least operated as of a few months ago).

TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it. 

Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)

Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

Whether or not you’re rooted/jailbroken

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC

They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

If true, this is damning evidence.

Using Chinese applications can be dangerous. Android users have it worse than Apple users. Apple is actively working on security. They also care about it. In Android’s case, having a platform that is more open to do what you want on it may sound great. You also leave yourself wide open for security breaches.