Comment by kanox
6 years ago
> > If there is an API to get information on you, your contacts, or your device... well, they're using it. For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is.
I find this unconvincing and reddit comments are not trustworthy at all.
Wouldn't data collection be limited by the mobile OS anyway? I actually have TikTok on my phone and it requested no special permissions, compared to most other apps which don't even let you view content without validating a phone number.
>Wouldn't data collection be limited by the mobile OS anyway
Maybe on iOS. But on Android of the ones that he listed, many can be retrieved without any permissions, such as
>* Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
>* Whether or not you're rooted/jailbroken
I also suspect that they can get some or all of the network information without any special permissions either.
>* Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
As for "other apps you have installed", it looks like it's getting it through the "retrieve running apps" permission, although I'm not sure whether that shows up as a permission prompt or not.
> I find this unconvincing and reddit comments are not trustworthy at all.
You should probably read the original comment on reddit, not just my summary of it. I found it to be extremely detailed and technically convincing, even though it's still hard to determine the level of its trustworthiness.
The fact that his computer conveniently crashed and cannot backup his claims is pretty convincing?
Well since that edit of his was from 1 day ago, hopefully he does show the little proof he has remaining soon.
I am wary of his claims too.
1 reply →
https://penetrum.com/tiktok/Penetrum_TikTok_Security_Analysi...
That report could not distinguish between ISP and Cloud provider, also between Alibaba as an e-commerce and Aliyun as Cloud provider. The report also complained about possible SQL injection, but the database it accessed is a local SQlite database. Who cares if you inject your own database?
Seems fishy.