TikTok Security: An Opinionated Explainer

There is a post on reddit was written by someone who claims they reverse-engineered the app that is, they set about deconstructing the app to see how its internal components function and interact with each other, with the rest of the phone, and with the servers that conform the service itself.

The app

These are the main points made by analysis of the app itself.

Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

The app will try to learn everything it can about the phone hardware itself, going from the big things like if it’s running on a phone or a tablet, who the manufacturer is, make and model; to the small, like how many megapixels the front camera is.

What you can do about it: Nothing. This is a function done by the app on its own.

Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)

The app will check what else is installed on the device regardless whether it’s a competing social media app or not. This also applies to the clipboard (the function to copy and paste), as TikTok was caught red-handed accessing its contents. As users we use this function to copy/paste everything, from emojis to phone numbers to credit card numbers to social security numbers.

What you can do about it: Nothing. This is a function done by the app on its own.

Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

The app will log:

  • The MAC addresses of all network interfaces on the device (cellular, wifi, bluetooth, nfc, etc). A MAC address is a unique hardware identifier for network hardware.
  • Whether those interfaces are connected to anything. If they are, the name and of the cellular network, wifi network, and MAC addresses of that hardware.
  • Then, if they are connected, the IP address used for that connection at both Local Area Network (LAN) and Wide Area Network (WAN).

Taken all together, TikTok will find out what kind of network the device lives in, what other devices are on it, how it moves within the LAN. This also means the WAN IP address revealed, allowing them to use GeoIP databases to try and determine the geographical location of a device.

What you can do about it: Nothing. This is a function done by the app on its own. You could limit the app’s network access but this requires deep expertise in networking and the operating system being used at the time.

Whether or not you’re rooted/jailbroken

Jailbreaking refers to “breaking out” of the limitations placed by Apple on iPhones and iPads to enable additional functions that were not available in either the hardware or the software. The same action in Android is referred to as [rooting]( Either one means you can do anything on the device and is a common goal of spyware/malware so they can operate with unfettered access and without the user knowing.

A common example in the past it was used to enable tethering when it was disabled by cellular carriers trying to force you to pay an extra charge to enable the function.

What you can do about it: You could limit what the app sees if you’re jailbroken/rooted, but requires deep expertise in the operating system.

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC

As most smartphones and tables now have GPS, TikTok will check for the current GPS data as often as it can, enabling them to follow a device as it moves through a geographical area. Coupling this with the network data, they can determine with lots of accuracy where a device is. Both Google and Apple have this information but keep in mind they are the entities making the operating systems themselves. TikTok is just an app.

What you can do about it: Both Google and Apple let you limit if an app has access to GPS. Be aware TikTok will limit its own functionality if it cannot access GPS, though.

They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

TikTok sets up a special kind of server to help with converting videos from one format to another (transcoding) with a minimum of configuration on the part of the app developers or the users. The problem is that it doesn’t check whether anything connecting to that server is actually allowed to both connect and use the server (i.e. it doesn’t ask for a username or a password); this means other apps could potentially connect to that server and use or abuse its resources.

What you can do about it: Nothing. This is very much one of the core functions of the app itself since most device manufacturers have their own ways of saving video on a device and the app needs to be able to deal with all of them.

Potential for remote configurations

The scariest part of all of this is that much of the logging they’re doing is remotely configurable

Every time the app downloads an update they can change what information is logged, how often, where to send it, etc, and you as an user have no way to stop it.

What you can do about it: Nothing. This is a function done by the app on its own.

The people coding the app consciously obfuscate how the code works and what specific functions and tasks it performs.

and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.

TikTok developers are purposely hiding how the app itself operates. You can determine this if you have the know-how and the experience to do it but you will not like the experience of it.

What you can do about it: Nothing.

The app will monitor its environment and change its behavior if it detects someone is trying to analyze it.

They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing.

TikTok will monitor the device and if it detects any attempt to analyze any of its internal functions and configuration it will try to change its own behavior to prevent that. Failing that it will try to present behavior that is deemed more acceptable to the person doing this work.

This is how the Volkswagen emissions scandal came to be:

  1. Cars were programmed at the factory to detect whether they were being tested for emissions at a laboratory or government facility.
  2. If they were, they would enable emissions control in order to be able to pass those tests.
  3. At any time they were not being tested, emissions control was reduced or disabled entirely, leading the vehicle to emit far more than the allowed legal limit of greenhouse gases.

TikTok is doing essentially the same but it’s all in software.

What you can do about it: Nothing. This is a function done by the app on its own.

File downloads without user interaction.

There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

TikTok can download a file, extract its contents, then run its contents without needing user interaction or without having to be updated from the App Store or the Play Store. Both Apple and Google forbid this kind of functionality in any app.

What you can do about it: Nothing. This is a function done by the app on its own.

Lax security standards

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.

This is something that has been reported about TikTok in the past:

Basically, the TikTok devs won’t implement basic security standards to protect the user, the account, or any of the media the app stores and transmits. This allows intelligence agencies, corporations, anyone who cares to look, to surveil and hack users of the service.

What you can do about it: Nothing.

The Company

All of the previous points point to the one overarching theme of the app: it sucks up as much information as possible, then sends it to the servers that actually run the service (aka “the backend”). There are a of of shady practices on that side of things and the only people who know what’s going on are the people working for TikTok itself. Here are but a few examples:

The company is performing data collection on a level that far surpasses what Facebook, Twitter, Instagram, Snapchat, or most other social media companies have done so far. Only the Big Four (Microsoft, Apple, Google, Amazon) could obtain so much information but that’s because they control both the platforms their operating systems work with; if governments even thought they were doing what TikTok is doing they would face major fines, lawsuits, and antitrust enforcement.

The Combination of Both

When you add what the app does (again, suck up as much information about the user and their devices) with what the company is doing (actively avoiding answering questions of its practices) it all means one thing:

TikTok is combination spyware/malware with the backing of a corporation valued in billions of US dollars.

Most entities that write malware and spyware are:

  • A single person with technical knowledge, like the person who created the ILOVEYOU virus.
  • Nation-states and their various intelligence agencies using software vulnerabilities like BlueKeep or creating their own malware like Stuxnet
  • Organized crime, like the creators of the Conficker worm.

Having a corporation create this kind of software and for users to willingly install that software is something new. I am also leaving out all the advertising practices of the company, as that is how TikTok entices companies to buy into the platform.

What is there to do, then?

It amounts to

  • If you have not installed the app, do not install the app on any device you own.
  • If you have installed the app, remove it immediately from any and all devices you own.
  • Don’t let friends and family use the app, and push for them to remove it if they have used it.

In which reddit explains how a cab does business

I actually drove a cab for two years and I think I know what the problem might be.

Comment posted in the thread What company has forever lost your business? Why? and includes a nice list of companies that do not deserve your business:

  • Nestle – Exploitative business practices across the world – including child labor.
  • Walmart – The douchebags of Corporate America.
  • Ticketmaster – Practically monopolized ticket sales in the US.
  • AT&T – Bad service along with bad customer service.
  • Avis – Bad service along with bad customer service.
  • Time Warner – Bad service along with bad customer service.
  • Entertainment Arts – General assholery in the gaming industry.
  • Urban Outfitters – Support of homophobic organizations and media plagiarism.
  • Papa Johns – Actively dodging Obamacare.
  • BP – Business practices which led to the Deepwater Horizon spill haven’t changed.
  • American Airlines – Bad service along with bad customer service.

In which reddit teaches you of confidence

Gaining confidence is catch 22; you’re not confident because good stuff doesn’t happen to you, and good stuff doesn’t happen to you because you’re not confident.

So here’s the key: Pretend to be confident, act confident even when you don’t feel it. Don’t be a scumbag but hold your head up high. Force yourself to talk to people even when you’d rather not. Pretty soon all that good stuff that those confident guys get – that’s coming your way. That will boost your esteem and make you more confident in yourself naturally; suddenly you don’t have to pretend anymore.

Men of reddit, what is a man secret that you think every man should know? : AskReddit.

Of immigration and race

In a way, this reminds me of the immigration situation in America with Mexicans marching, protesting America’s immigration laws. But what they don’t want to ever talk about is Mexico’s immigration laws and how they treat their illegal immigrants. In Mexico, being an illegal is a felony and hiring an illegal is a felony. Also, in Mexico, the law states that if you have a choice, you should always hire the natural born Mexican before the foreigner, even if they aren’t illegal

Mexico also has an illegal immigration problem with other Central American countries, but they way they treat their illegals, which are the same “race” of people is magnitudes worse than the treatment they themselves receive in the U.S.

OP’s post sort of reminds me of this, in the way that everyone is so busy criticizing the great evil that they don’t even look at how they are treating the people themselves. Arabs treat the Palestinians badly similarly to (but on a much greater scale) to how Mexico treats its Latino illegal immigrants.

nitesmoke comments on IAmA a Palestinian refugee from Lebanon and I wish the Arab world gets as little as 10% of the criticism Israel gets for treating Palestinians. AMA..

So true. The original IAmA article is plenty interesting too.

Clear and to the point

Because FM is a newer and better technology:

Imagine the radio waves are light. AM transmits by changing the brightness of a light (Amplitude Modulation), FM transmits by changing the colour of the light (Frequency Modulation).

If you have a clear view of both lights then they both sound good, but imagine if you’re driving and trees get in the way of the light beam. You can still see the light through the leaves, but not as well.

With AM the brightness of the light keeps changing as leaves block it so the volume keeps going up and down. With FM it doesn’t matter how bright the light is because you only care about the colour, which doesn’t change.

The reason you still have AM as well as FM because AM is much cheaper to broadcast and the signals travel further.

brainflakes comments on ELI5: Why does f.m. radio sound pretty good and a.m. sound like it’s coming to us live from the 1920s?.

This is the best explanation I’ve ever read about the difference between AM and FM.

Gone Streisand

God damn it internet, why is /r/popping a thing

EDIT: You all keep replying to this and it keeps bringing me back here.

What the hell is wrong with you people.

EDIT 2: You’re all monsters.

EDIT 3: Oh my god if you assholes make this my top voted comment, i’ll never stop looking at it what the fuck. Reddit. Stahp.

EDIT 4: And the descriptive disgusting comments aren’t helping jesus christ.

ohsnapkins comments on Guy posts his infected pimple on /r/popping, gets told to see a doctor ASAP and ends up needing 3 days in hospital to treat for MRSA (Methicillin-resistant Staphylococcus aureus).

Anoche me puse a buscar gente en Facebook… : mexico

En el trabajo se corrió el chisme de que una persona que laboraba aquí fue detenida por homicidio y por puro morbo (lo acepto) me puse a buscarlo en el Facebook. Después de curiosear un rato me puse a hacer lo mismo pero con nombres tomados de la nota roja de diversos diarios.

Finalmente llegué a un blog muy conocido por presentar noticias del narco y así es, hice lo mismo con los detenidos, sicarios y halcones “caídos” en enfrentamientos con el ejército.

Del morbo ocioso pasé a la reflexión. Al leer los perfiles de estas personas, muchos de ellos chavos y chavas (algunos NINIs) no deja de sentirse un ambiente de tristeza. Ves una parte de la historia de su vida registrada en su FB; desde que dejan de trabajar/estudiar, las conversaciones con sus amigos, las típicas fotos de FB, fotos con sus amigos en la escuela o fiestas, sus canciones favoritas.

Luego llega el instante en que simplemente dejan de publicar en FB, están solo las publicaciones de sus amigos, algunos mensajes preguntándose donde están y por qué no han sabido de ellos.

En algunos hay mensajes post-mortem: condolencias de sus amigos, mensajes de impotencia, de dolor.

¿Se lo buscaron? tal vez si. No es mi intención hacer una apología de sus actos, solo quiero relatar como por una noche me involucré en sus vidas y vi quienes eran antes de volverse una imagen gore y tener como epitafio las babosadas de los comentaristas.

(Via reddit).