Comment by krn
6 years ago
A reddit user, who claims to have reverse-engineered the TikTok app[1], concluded:
> TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device... well, they're using it.
> For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is.
It doesn't seem surprising now, given that Zoom, which is also being developed in China, acts like a malware application, too[2].
I'm glad, that India is more aware of the possible consequences of using any software made in China than, for instance, the government of the UK is[3].
I didn't realize Zoom was mostly developed in China! That seems bad.
> “Our product development team is largely based in China, where personnel costs are less expensive than in many other jurisdictions,” Zoom wrote in a regulatory filing.
https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-ahead...
Why?
China has a history of data snooping to support its totalitarian goals. Software and development that comes out of there should be considered to come with elevated risk. Some companies work with this by ensuring that China-only data is served from within China. If there is no audit of code pushed from China and ran in the US, I'd be suspect that no backdoors or anything else have been introduced by coercion from the state. Perhaps I'm just paranoid, but just because you are not paranoid, it doesn't mean they are not after you.
About that reddit comment, when pressed for evidence, turns out that guy's own research is conveniently "lost" because of a motherboard failure. And someone in the comment pointed out that most of the things he found suspicious about tiktok is actually regularly employed by apps like fb, twitter etc.
I'm not taking sides and I don't have the technical expertise to judge everything said there. It's just that I'd be much more comfortable if all of those "evidences" came from a more trusted source & not a reddit comment from god-knows-who.
Honestly, as someone who doesn't belong to China/USA/India and genuinely curious about this, I'm tired of seeing all this "but but communist evil" and not much in the way of actual evidence.
> "but but communist evil"
Noone told that. CCP is not even communism.
Chinese apps collect a fucking lot of data and Indian People innocently use those shit apps like ShareIt because inertia and maybe network effects. If you want to share a movie / song something with an ordinary indian citizen you'd have needed ShareIt which is a piece of shit. Technical ones among us use Google Files or something like that but I have so far refused to use ShareIt because it is such shady adware. Note that most Indians don't have Laptop / PC and USB / Pendrives aren't ubiquitous.
Now that there is some friction between China and India and given the nature of Chinese Governance these apps are threat to national security.
Ideally they could have banned PUBG also, the shit is ruining many lives.
I don’t think it has anything to do with communism. The CCP is not communist except by name.
> > If there is an API to get information on you, your contacts, or your device... well, they're using it. For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is.
I find this unconvincing and reddit comments are not trustworthy at all.
Wouldn't data collection be limited by the mobile OS anyway? I actually have TikTok on my phone and it requested no special permissions, compared to most other apps which don't even let you view content without validating a phone number.
>Wouldn't data collection be limited by the mobile OS anyway
Maybe on iOS. But on Android of the ones that he listed, many can be retrieved without any permissions, such as
>* Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
>* Whether or not you're rooted/jailbroken
I also suspect that they can get some or all of the network information without any special permissions either.
>* Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
As for "other apps you have installed", it looks like it's getting it through the "retrieve running apps" permission, although I'm not sure whether that shows up as a permission prompt or not.
> I find this unconvincing and reddit comments are not trustworthy at all.
You should probably read the original comment on reddit, not just my summary of it. I found it to be extremely detailed and technically convincing, even though it's still hard to determine the level of its trustworthiness.
The fact that his computer conveniently crashed and cannot backup his claims is pretty convincing?
2 replies →
https://penetrum.com/tiktok/Penetrum_TikTok_Security_Analysi...
That report could not distinguish between ISP and Cloud provider, also between Alibaba as an e-commerce and Aliyun as Cloud provider. The report also complained about possible SQL injection, but the database it accessed is a local SQlite database. Who cares if you inject your own database?
Seems fishy.
> There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary.
If these claims are true, a remote state actor can now take over 40% of young American's phones.
Imagine if they decided to shut off everyone's ability to communicate. That would be an incredible capability to possess in the event that they wanted to launch an attack or distract us. (I'm not saying that they would, but that we should be wary of the possibility.)
This is incredibly dangerous.
Furthermore, this does not seem like an accident in TikTok's design. This app is very well put together. Given the expertise involved, I can't see this as an "oops, we didn't know" oversight with respect to either alternative design choices or platform rules. It feels very deliberate.
Google should ban this app immediately for breaking the terms, and US legislators should make a law prohibiting it outright.
We have to do some more due diligence to make sure these claims are valid, but if they do turn out to be true, then we have some very serious issues to consider.
This is one of the few instances where I'll admit that I wish Facebook or Twitter had an answer for this.
Twitter did have an answer to this. It was called Vine and was very popular before they shut it down.
the MOST SCARY stuff for me is apps that ask for your photos album permissions (so they can save to it, or upload a picture ). This permission basically gives them access to ALL your photos, including your dick pics, even when the app is in the background.
The "openness" of the west is being blatantly exploited, and yet for some reason people are still hesitant to call it out for what it is. Almost every significant US internet company is totally blocked in China. Until the US completely blocks WeChat, TikTok, Zoom and so on, China will continue to have a major geopolitical advantage.
> The scariest part of all of this is that much of the logging they're doing is remotely configurable
How is this scary at all - much less the "scariest part"? The vast majority of the bullet points also seem standard and not worth paying attention to. I also read the Penetrum paper he linked which was similarly unconvincing.
How long will it take China to rebrand these apps under a different name ?
> TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device... well, they're using it.
They might as well be describing Facebook or Google. They are data harvesting services - first and foremost. The actual applications are only the bait yet since they're owned by the country that makes those great movies and TV series, somehow, they aren't as bad.