“What if I told you that TikTok harvests an excessive amount of data and that this can all be proven right now? In this whitepaper, we here at Penetrum are going to prove that there’s an excessive amount of data harvesting, some vulnerabilities in TikTok’s code, as well as a few things that may make you feel pretty uncomfortable. Buckle up folks, it’s about to get pretty wild.”Penetrum security company
Overnight there have been calls for the social media platform TikTok to be banned in Australia. So is it all the usual anti-Chinese bluster from the rags well known for skewing any semblance truth and publishing Rupert’s spin on it? It seems that there is more to this story than just anti-Chinese sentiment.
TikTok has already been in the news lately with it being found to be constantly monitoring iOS clipboards (something it was not alone in doing, but it was still doing it) and then found itself swept up in the app banning by India. The ban by India on TikTok in their country is set to cost TikTok US$6 billion but in response TikTok CEO Kevin Mayer has said that:
I can confirm that the Chinese government has never made a request to us for the TikTok data of Indian users. If we do receive such a request in the future we would not comply.
Although the data TikTok harvests is stored in Singapore many still don’t trust them not being forced into giving it over to the Chinese government — much in the same way the governments argue for Huawei bans, with little to no evidence of cooperation with the Chinese government.
Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ
— Jeremy Burge (@jeremyburge) June 24, 2020
For those who want evidence of TikTok’s harvesting of users’ data (and we all should before jumping to any conclusions) the closest we have come to it so far is some reverse engineering by a user on Reddit. The user, bangorlol, made their original comment on a video posted a couple of months ago.
Bangorlol states that the “logging they’re doing is remotely configurable” and have:
Several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing. There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.
This is still not evidence of them doing wrong but more doing what Facebook already do and taking it a step further, either for nefarious means or to learn more about users’ behaviours to enhance their app’s “virality”. Bangorlol also found that TikTok do their very best to hide the information they are collecting by encrypting all “analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can’t see what they’re doing”.
TikTok put a lot of effort into preventing people like me from figuring out how their app works. There’s a ton of obfuscation involved at all levels of the application, from your standard Android variable renaming grossness to them (bytedance) forking and customizing ollvm for their native stuff. They hide functions, prevent debuggers from attaching, and employ quite a few sneaky tricks to make things difficult. Honestly, it’s more complicated and annoying than most games I’ve targeted.Banorlol via Bored Panda
Of course many of us will say but surely Facebook, Instagram, Reddit, Twitter etc all do exactly the same thing but Bangorlol has an answer for that too:
For what it’s worth I’ve reversed the Instagram, Facebook, Reddit, and Twitter apps. They don’t collect anywhere near the same amount of data that TikTok does, and they sure as hell aren’t outright trying to hide exactly whats being sent like TikTok is. It’s like comparing a cup of water to the ocean – they just don’t compare.
He has opened up his research for all security researchers and has also posted links to well known security researcher Penetrum and their results from their own research — grab the whitepaper here (be warned though it is long so settle in). Although we are sceptical of anything coming from a US-based company when we are unsure of its ties to their government or the right wing anti-Chinese hawks their conclusion is unsettling:
After extensive research, we have found that not only is TikTok a massive security flaw waiting to happen, but the ties that they have to Chinese parties and Chinese ISP’s make it a very vulnerable source of data that still has more to be investigated. Data harvesting, tracking, fingerprinting, and user information occurs throughout the entire application. As a US company, we feel that it is our responsibility to raise awareness of this extensive data harvesting to TikTok’s 1 billion users.
The question remains though, even though they collect a vast array of data, how is it different to Facebook etc and how they may be beholden to the US government? The research above shows that TikTok harvest much more data on each user than Facebook (considered the worst of all social media apps) and now with collective hacker group who seemingly are beholden to no one, Anonymous, calling for users to delete TikTok now may be the time to do just that.
Delete TikTok now; if you know someone that is using it explain to them it is essentially malware operated by the Chinese government running a massive spying operation. https://t.co/J7N9FS7PvG
— Anonymous (@YourAnonCentral) July 1, 2020
With Anonymous now campaigning against TikTok it is a strange world indeed where many western governments’ message now aligns with that of Anonymous. It is possible, and likely, that TikTok now faces annihilation by western governments. The research into TikTok continues though as researchers hunt for more issues with more recent versions of the app.
The evidence is seemingly there that they are hoovering up a vast amount of data on their users but there is no conclusive evidence at this stage that they are sharing it with the Chinese government. Although there are “ties” to Chinese parties and Chinese ISP’s it does not mean they are sharing the information with the government.
Many businesses in China have Chinese officials involved either as investors or chairpersons on their boards. The company itself is also Chinese itself so you would expect Chinese ISP’s to be involved when data is fed back to their engineers.
Like the Huawei situation there is no proof but even if there is no proof of cooperation with the Chinese government the sheer levels of knowledge they are gathering on their users will have most western governments spooked. We have seen them act on Huawei in recent times so it seems likely that they will act on TikTok too, especially if TikTok do not overhaul their entire data collection process and strategy.
Where will it stop? Will we see all popular Chinese apps banned (such as what India did when they banned 59 different Chinese apps) due to the possible cooperation with their government? Let’s hope cooler heads prevail in all of this. The kids love TikTok but it can be dangerous, even without involving foreign governments and it is possible that Rupert’s henchmen are ahead of the curve for once.
Or maybe it’s time we held all social media apps to a higher standard in both security and the data they collect.