Month: June 2020

TikTok Security: An Opinionated Explainer

There is a post on reddit was written by someone who claims they reverse-engineered the app that is, they set about deconstructing the app to see how its internal components function and interact with each other, with the rest of the phone, and with the servers that conform the service itself.

The app

These are the main points made by analysis of the app itself.

Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

The app will try to learn everything it can about the phone hardware itself, going from the big things like if it’s running on a phone or a tablet, who the manufacturer is, make and model; to the small, like how many megapixels the front camera is.

What you can do about it: Nothing. This is a function done by the app on its own.

Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)

The app will check what else is installed on the device regardless whether it’s a competing social media app or not. This also applies to the clipboard (the function to copy and paste), as TikTok was caught red-handed accessing its contents. As users we use this function to copy/paste everything, from emojis to phone numbers to credit card numbers to social security numbers.

What you can do about it: Nothing. This is a function done by the app on its own.

Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

The app will log:

  • The MAC addresses of all network interfaces on the device (cellular, wifi, bluetooth, nfc, etc). A MAC address is a unique hardware identifier for network hardware.
  • Whether those interfaces are connected to anything. If they are, the name and of the cellular network, wifi network, and MAC addresses of that hardware.
  • Then, if they are connected, the IP address used for that connection at both Local Area Network (LAN) and Wide Area Network (WAN).

Taken all together, TikTok will find out what kind of network the device lives in, what other devices are on it, how it moves within the LAN. This also means the WAN IP address revealed, allowing them to use GeoIP databases to try and determine the geographical location of a device.

What you can do about it: Nothing. This is a function done by the app on its own. You could limit the app’s network access but this requires deep expertise in networking and the operating system being used at the time.

Whether or not you’re rooted/jailbroken

Jailbreaking refers to “breaking out” of the limitations placed by Apple on iPhones and iPads to enable additional functions that were not available in either the hardware or the software. The same action in Android is referred to as [rooting](https://en.wikipedia.org/wiki/Rooting_(Android). Either one means you can do anything on the device and is a common goal of spyware/malware so they can operate with unfettered access and without the user knowing.

A common example in the past it was used to enable tethering when it was disabled by cellular carriers trying to force you to pay an extra charge to enable the function.

What you can do about it: You could limit what the app sees if you’re jailbroken/rooted, but requires deep expertise in the operating system.

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC

As most smartphones and tables now have GPS, TikTok will check for the current GPS data as often as it can, enabling them to follow a device as it moves through a geographical area. Coupling this with the network data, they can determine with lots of accuracy where a device is. Both Google and Apple have this information but keep in mind they are the entities making the operating systems themselves. TikTok is just an app.

What you can do about it: Both Google and Apple let you limit if an app has access to GPS. Be aware TikTok will limit its own functionality if it cannot access GPS, though.

They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

TikTok sets up a special kind of server to help with converting videos from one format to another (transcoding) with a minimum of configuration on the part of the app developers or the users. The problem is that it doesn’t check whether anything connecting to that server is actually allowed to both connect and use the server (i.e. it doesn’t ask for a username or a password); this means other apps could potentially connect to that server and use or abuse its resources.

What you can do about it: Nothing. This is very much one of the core functions of the app itself since most device manufacturers have their own ways of saving video on a device and the app needs to be able to deal with all of them.

Potential for remote configurations

The scariest part of all of this is that much of the logging they’re doing is remotely configurable

Every time the app downloads an update they can change what information is logged, how often, where to send it, etc, and you as an user have no way to stop it.

What you can do about it: Nothing. This is a function done by the app on its own.

The people coding the app consciously obfuscate how the code works and what specific functions and tasks it performs.

and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.

TikTok developers are purposely hiding how the app itself operates. You can determine this if you have the know-how and the experience to do it but you will not like the experience of it.

What you can do about it: Nothing.

The app will monitor its environment and change its behavior if it detects someone is trying to analyze it.

They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing.

TikTok will monitor the device and if it detects any attempt to analyze any of its internal functions and configuration it will try to change its own behavior to prevent that. Failing that it will try to present behavior that is deemed more acceptable to the person doing this work.

This is how the Volkswagen emissions scandal came to be:

  1. Cars were programmed at the factory to detect whether they were being tested for emissions at a laboratory or government facility.
  2. If they were, they would enable emissions control in order to be able to pass those tests.
  3. At any time they were not being tested, emissions control was reduced or disabled entirely, leading the vehicle to emit far more than the allowed legal limit of greenhouse gases.

TikTok is doing essentially the same but it’s all in software.

What you can do about it: Nothing. This is a function done by the app on its own.

File downloads without user interaction.

There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

TikTok can download a file, extract its contents, then run its contents without needing user interaction or without having to be updated from the App Store or the Play Store. Both Apple and Google forbid this kind of functionality in any app.

What you can do about it: Nothing. This is a function done by the app on its own.

Lax security standards

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.

This is something that has been reported about TikTok in the past:

Basically, the TikTok devs won’t implement basic security standards to protect the user, the account, or any of the media the app stores and transmits. This allows intelligence agencies, corporations, anyone who cares to look, to surveil and hack users of the service.

What you can do about it: Nothing.

The Company

All of the previous points point to the one overarching theme of the app: it sucks up as much information as possible, then sends it to the servers that actually run the service (aka “the backend”). There are a of of shady practices on that side of things and the only people who know what’s going on are the people working for TikTok itself. Here are but a few examples:

The company is performing data collection on a level that far surpasses what Facebook, Twitter, Instagram, Snapchat, or most other social media companies have done so far. Only the Big Four (Microsoft, Apple, Google, Amazon) could obtain so much information but that’s because they control both the platforms their operating systems work with; if governments even thought they were doing what TikTok is doing they would face major fines, lawsuits, and antitrust enforcement.

The Combination of Both

When you add what the app does (again, suck up as much information about the user and their devices) with what the company is doing (actively avoiding answering questions of its practices) it all means one thing:

TikTok is combination spyware/malware with the backing of a corporation valued in billions of US dollars.

Most entities that write malware and spyware are:

  • A single person with technical knowledge, like the person who created the ILOVEYOU virus.
  • Nation-states and their various intelligence agencies using software vulnerabilities like BlueKeep or creating their own malware like Stuxnet
  • Organized crime, like the creators of the Conficker worm.

Having a corporation create this kind of software and for users to willingly install that software is something new. I am also leaving out all the advertising practices of the company, as that is how TikTok entices companies to buy into the platform.

What is there to do, then?

It amounts to

  • If you have not installed the app, do not install the app on any device you own.
  • If you have installed the app, remove it immediately from any and all devices you own.
  • Don’t let friends and family use the app, and push for them to remove it if they have used it.

Such drama

        <a href="https://www.flickr.com/people/nullrend/">nullrend</a> posted a photo:
Such drama

You’re a Graph Point

These terms distinguish operating systems by the problems they solve for the user. However, a disturbing trend is emerging in which the user is not the party whose problems are being solved, and perhaps this calls for a new term. I propose “vendor-purpose operating system”.

Source: General-purpose OS, special-purpose OS, and now: vendor-purpose OS | Drew DeVault’s Blog

In this instance, you’re not even the vendor’s _user_, that title goes to whomever the vendor is selling to, i.e. the client who is using the OS at scale.

You’re now a byproduct. You’re just something for the vendor to brag about on quarterly meetings with Wall Street.

Nice

Pretty sure this is the longest I’ve been able to keep a server alive without having to reboot for whatever reason.

FTP now has a new meaning.

Black Lives Matter

Organize, provide mutual aid, help out with street cleanup.

Abolish the police.

In their current form, they’re a tool of oppression.

Defund the police.

Don’t want to go the full mile? I’ll meet you at the 900 yard marker. Them pigs do not need hand-me-down military weaponry.

Fuck The Police