TikTok’s Shady Practices
About 3 months ago, In the comment section of a Reddit discussion about TikTok, Reddit user ‘bangorlol’ claimed to have successfully reverse-engineered ‘TikTok’. Reverse engineering an app is very complicated. Every app developer makes sure that their app can’t be reverse-engineered and fight against it as it may affect the privacy of the users. At some time social media platforms have gone through privacy breaches and security scandals at least once and this time TikTok has also decided to join this disaster.
Bangorlol advised users against the use of the app and also encouraging friends and family to stop using TikTok as well. He claims to have successfully reverse-engineered the app and found some concerning security and privacy issues in the app. Allegedly, TikTok is marked as a “data collection service that is thinly-veiled as a social network” as explained by bangorlol. He also said that if there was an API to get information on users, their contacts, or devices, TikTok was using it. The information TikTok can ‘supposedly’ obtain includes:
- IP, Local IP, Router mac, Wifi access point name, and other networks related information.
- Phone hardware (CPU type, CPU number, Hardware IDs, Screen dimensions, DPI, Memory Uses, Disk Space, etc)
- Apps you’ve installed on your device other than TikTok.
- Whether or not your device is jailbroken/rooted
- Your clipboard data
Now, most of this is information that wouldn’t necessarily be hard to dig up on anybody just because most programs that you use on your device will probably know this information as soon as you fire it up.
Now, the fact that TikTok can supposedly get information on which other apps are installed on your device other than TikTok is a little odd but not outright malicious. As he further states “some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post”, Now this is something that should weird out some people. It is advised that unless an app really requires your location do not provide location access to the app.
As he further states “The scariest part of all of this is that much of the logging they’re doing is remotely configurable and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM) and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing. There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary.” This is very concerning especially for android users as executing a zip file containing binary is very suspicious. He also explains how TikTok was not using HTTPS for the longest time which may have leaked user emails and other unencrypted information. If this is true, then TikTok is not only a data-mining app but also a weapon for corporate warfare.
In today’s day and age, we can’t doubt that most tech companies are pulling things like this off. All of that being said, however, you should be well aware of it.
To read the full discussion on Reddit: CLICK HERE