Although Facebook and Twitter are seen as models for applications related to the invasion of users’ sensitive data, compared to the emerging social network TikTok, they are still havens for online user data security. This is the view of a senior software engineer with 15 years of experience.
Two months ago, a Reddit user named Bangorlol claimed to have successfully reverse-engineered TikTok, allowing this engineer to delve deep into the inner workings of the app. Essentially, regarding the app’s behaviors in tracking users indiscriminately, as well as many other issues, this engineer recommended that users should never install it.
Here are his discoveries.
“I have reverse-engineered this application and feel confident to say that I understand how it works (or at least how it worked a few months ago). TikTok is a data collection service disguised as a social network. If there is any API to fetch information about you, your contacts, or your device… it will be used.
The phone hardware (CPU type, number of cores, hardware ID, screen size, pixel density, memory usage, storage drive, etc.). The apps installed on the phone (I even saw some deleted apps appear in their app load analysis – perhaps taken from cached values). All data-related information (IP address, router MAC address, device MAC, wifi name) is collected.
The information collected by TikTok does not depend on whether your device is rooted or jailbroken.
Some versions of the app even periodically enable GPS, about every 30 seconds – this is enabled by default if you ever tagged a location in your post. They also set up a proxy server right on your device to “transcode multimedia,” but it can be easily compromised as it has almost no authentication measures.
The most frightening part of all this is that much of this logging activity is configured remotely, and unless you can reverse-engineer each of their native libraries and manually inspect each of its obscure functions.
Moreover, they haven’t even used HTTPS for a long time. They leaked users’ email addresses in their HTTP REST API, as well as users’ secondary email addresses for password resets. Not to mention users’ real names and birth dates. All of this was publicly disclosed months ago.
Meanwhile, they have multiple layers of protection to prevent you from reverse-engineering this app. The app’s behavior will change slightly if it knows you are trying to find out what they are doing.
It seems they don’t want you to know how much information they are collecting about you, nor their poor data security methods. They encrypt all analytics requests with an algorithm that can change with each update to obscure what they are doing.“…
“I have reverse-engineered Instagram, Facebook, Reddit, and Twitter. The amount of data they collect cannot compare to what TikTok does, and surely they do not dare to publicly conceal what is sent like TikTok does. (Applications compared to TikTok) are like a cup of water compared to the ocean – they cannot even be compared.”
Final words: “I am just a nerd who wants to understand how the app works. To call it (only TikTok) an advertising platform is still too soft. Essentially, TikTok is malware aimed at children. Do not use TikTok. Also, do not let your friends and family use it.”
Bangorlol’s advice comes at a more timely moment than ever. Statistics show that in 2019, TikTok was the 4th most downloaded free app on iPhone. The app’s revenue has also increased in accordance with its growing popularity. According to a report from Bloomberg, ByteDance, the company that owns TikTok, achieved a net profit of $3 billion last year.
Not only Bangorlol’s findings, but also Apple’s recent iOS 14 update caught many user invasion behaviors when consistently warning that TikTok was accessing the device’s temporary storage. After Apple announced iOS 14, TikTok also announced that it would no longer access users’ temporary storage.
Source: BoredPanda