{"id":732,"date":"2021-05-06T09:00:00","date_gmt":"2021-05-06T16:00:00","guid":{"rendered":"https:\/\/gmr.dev\/blog\/?p=732"},"modified":"2022-08-26T14:45:55","modified_gmt":"2022-08-26T21:45:55","slug":"tiktok-social-media-or-spyware","status":"publish","type":"post","link":"https:\/\/rose.dev\/blog\/2021\/05\/06\/tiktok-social-media-or-spyware\/","title":{"rendered":"TikTok: Social Media, or Spyware?"},"content":{"rendered":"\n<p>TikTok is the most popular growing social media right now by far, surpassing the likes of Reddit, Snapchat, Twitter, Pinterest and Quora.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/QdXSAtb.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>And it&#8217;s much more popular among Gen Zs and Millenials.<\/p>\n\n\n\n<p>But TikTok was declared as a security threat and many have growing concerns about the operations of ByteDance as a whole.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">TikTok Source Code Analyzation <\/h2>\n\n\n\n<p>Step 1: Obtain TikTok source code<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/mEkaEkt.png\" alt=\"\"\/><figcaption>This is the step most people might get stuck on&#8230;<\/figcaption><\/figure>\n\n\n\n<p>Step 2: Spend hours looking through said program for suspicious things<\/p>\n\n\n\n<p>Step 3: Share!<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<p>Beyond initial paranoia, let&#8217;s be realistic about what apps collect. Even Google collects IP (and therefore geographic location), and other pieces of personal data:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Google might collect far more personal data about its users than you might even realize. The company records every search you perform and <a href=\"http:\/\/web.archive.org\/web\/20210505211252\/https:\/\/www.cnet.com\/news\/mozilla-is-sharing-youtube-horror-stories-to-prod-google-for-more-transparency\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">every YouTube video you watch<\/a>. Whether you have an&nbsp;iPhone or an Android, <a href=\"http:\/\/web.archive.org\/web\/20210505211341\/https:\/\/www.cnet.com\/how-to\/how-to-slow-google-sensorvault-from-tracking-your-location-on-ios-android\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Google Maps logs everywhere you go<\/a>, the route you use to get there and how long you stay &#8212; even if you never open the app.<\/p><\/blockquote>\n\n\n\n<p>So then what are we looking for? How is this different? For one thing, Google, Facebook, Reddit, and Twitter apps don&#8217;t collect anywhere near the same amount of data that TikTok does, and they don&#8217;t obfuscate and hide their methods sneakily like TikTok. Additionally, TikTok has some weird code in it that no normal social media app should have. Here&#8217;s a quick comparison of the APIs TikTok accesses vs the Facebook app:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"970\" height=\"433\" src=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/firefox_PU91IwDAP8.png\" alt=\"\" class=\"wp-image-778\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/firefox_PU91IwDAP8.png 970w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/firefox_PU91IwDAP8-300x134.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/firefox_PU91IwDAP8-768x343.png 768w\" sizes=\"auto, (max-width: 970px) 100vw, 970px\" \/><figcaption>They both collect data, but TikTok collects more. And needs access to your SMS messages for some reason, even though it doesn&#8217;t interact with that&#8230;<\/figcaption><\/figure>\n\n\n\n<p>Below deconstructs more about what the TikTok app can\/does do and why it might do it. Make your own judgement at the end of the day. However, this is all just what&#8217;s able to be seen. Note that TikTok has the ability to update their app and add \/ remove code without updating the app through the store.<\/p>\n\n\n\n<p><strong>Things TikTok Collects<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Location (once every 30 seconds for some versions)<\/li><li>Phone Calls<\/li><li>Screenshots(?)<\/li><li>Network Information (Wifi Networks&#8217; SSID, MAC address, Carrier, Network Type, IMSI (possible), IMEI, local IPs, other devices on the network)<\/li><li>Facial Data<\/li><li>Address<\/li><li>Clipboard<\/li><li>Phone Data (cpu, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)<\/li><li>Installed Apps<\/li><li>Rooted\/Jailbroken Status<\/li><li>All keystrokes in the browser (more below)<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-gallery columns-2 is-cropped\" id=\"tiktokcodeexamples\"><ul class=\"blocks-gallery-grid\"><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_addresslocator.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1310\" height=\"901\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_addresslocator.png\" alt=\"\" data-id=\"747\" data-link=\"https:\/\/rose.dev\/blog\/?attachment_id=747\" class=\"wp-image-747\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_addresslocator.png 1310w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_addresslocator-300x206.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_addresslocator-1024x704.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_addresslocator-768x528.png 768w\" sizes=\"auto, (max-width: 1310px) 100vw, 1310px\" \/><\/a><figcaption class=\"blocks-gallery-item__caption\">address code<\/figcaption><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_apigetwifi.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1255\" height=\"909\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_apigetwifi.png\" alt=\"\" data-id=\"748\" data-link=\"https:\/\/rose.dev\/blog\/?attachment_id=748\" class=\"wp-image-748\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_apigetwifi.png 1255w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_apigetwifi-300x217.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_apigetwifi-1024x742.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_apigetwifi-768x556.png 768w\" sizes=\"auto, (max-width: 1255px) 100vw, 1255px\" \/><\/a><figcaption class=\"blocks-gallery-item__caption\">location<\/figcaption><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_calls.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1308\" height=\"896\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_calls.png\" alt=\"\" data-id=\"749\" data-link=\"https:\/\/rose.dev\/blog\/?attachment_id=749\" class=\"wp-image-749\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_calls.png 1308w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_calls-300x206.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_calls-1024x701.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_calls-768x526.png 768w\" sizes=\"auto, (max-width: 1308px) 100vw, 1308px\" \/><\/a><figcaption class=\"blocks-gallery-item__caption\">phone number\/call log code<\/figcaption><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_facialrecogprotocol.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1275\" height=\"897\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_facialrecogprotocol.png\" alt=\"\" data-id=\"750\" data-link=\"https:\/\/rose.dev\/blog\/?attachment_id=750\" class=\"wp-image-750\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_facialrecogprotocol.png 1275w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_facialrecogprotocol-300x211.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_facialrecogprotocol-1024x720.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_facialrecogprotocol-768x540.png 768w\" sizes=\"auto, (max-width: 1275px) 100vw, 1275px\" \/><\/a><figcaption class=\"blocks-gallery-item__caption\">facial verify protocol<\/figcaption><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"970\" height=\"900\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location.png\" alt=\"\" data-id=\"751\" data-link=\"https:\/\/rose.dev\/blog\/?attachment_id=751\" class=\"wp-image-751\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location.png 970w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location-300x278.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location-768x713.png 768w\" sizes=\"auto, (max-width: 970px) 100vw, 970px\" \/><\/a><figcaption class=\"blocks-gallery-item__caption\">location code<\/figcaption><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location2.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1055\" height=\"463\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location2.png\" alt=\"\" data-id=\"752\" data-link=\"https:\/\/rose.dev\/blog\/?attachment_id=752\" class=\"wp-image-752\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location2.png 1055w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location2-300x132.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location2-1024x449.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_location2-768x337.png 768w\" sizes=\"auto, (max-width: 1055px) 100vw, 1055px\" \/><\/a><figcaption class=\"blocks-gallery-item__caption\">location code 2<\/figcaption><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1313\" height=\"882\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot.png\" alt=\"\" data-id=\"753\" data-link=\"https:\/\/rose.dev\/blog\/?attachment_id=753\" class=\"wp-image-753\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot.png 1313w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot-300x202.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot-1024x688.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot-768x516.png 768w\" sizes=\"auto, (max-width: 1313px) 100vw, 1313px\" \/><\/a><figcaption class=\"blocks-gallery-item__caption\">screenshot code<\/figcaption><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot_observer.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1293\" height=\"849\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot_observer.png\" alt=\"\" data-id=\"754\" data-link=\"https:\/\/rose.dev\/blog\/?attachment_id=754\" class=\"wp-image-754\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot_observer.png 1293w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot_observer-300x197.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot_observer-1024x672.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_screenshot_observer-768x504.png 768w\" sizes=\"auto, (max-width: 1293px) 100vw, 1293px\" \/><\/a><figcaption class=\"blocks-gallery-item__caption\">screenshot observer<\/figcaption><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_toutiao_js.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1312\" height=\"658\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_toutiao_js.png\" alt=\"\" data-id=\"790\" data-full-url=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_toutiao_js.png\" data-link=\"https:\/\/rose.dev\/blog\/2021\/05\/06\/tiktok-social-media-or-spyware\/tiktok_spyware_toutiao_js\/\" class=\"wp-image-790\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_toutiao_js.png 1312w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_toutiao_js-300x150.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_toutiao_js-1024x514.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_toutiao_js-768x385.png 768w\" sizes=\"auto, (max-width: 1312px) 100vw, 1312px\" \/><\/a><figcaption class=\"blocks-gallery-item__caption\">track all actions in app (including what you copy to clipboard\/share)<\/figcaption><\/figure><\/li><\/ul><figcaption class=\"blocks-gallery-caption\">Examples of code of each of the above collected items (<strong>click an image <\/strong>to see big!)<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Location<\/h3>\n\n\n\n<p>Most apps collect your location, so there&#8217;s nothing too fishy about this. However, one could argue that your location is not useful to TikTok&#8217;s general functioning and therefore shouldn&#8217;t attempt to locate you so often or at all unless you&#8217;re using a feature that takes advantage of that. The data collected here includes your latitude and longitude, and exact location if they can pull it from the WiFi (done in the wifi collecting code).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Phone Calls\/Call Log\/Phone Number<\/h3>\n\n\n\n<p>TikTok requires you to provide a phone number upon signup on most occasions to function normally within the app, so they can link your identity to your phone number. They also collect your call log (people you&#8217;ve called) and have the permission to make calls from your device, although I&#8217;ve never heard of a case of this happening. Phone numbers are generally very unique, so this combined with location and name would already be enough to identify virtually anyone using this app in the U.S.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Screenshots<\/h3>\n\n\n\n<p>The app hooks an observer at some point (it would make sense to be on app load) that watches when the user takes screenshots. It&#8217;s unlikely this code can run in the background or does, but the app at least knows everything you take a screenshot of while using the app. Additionally, TikTok includes a string, &#8220;KEYWORDS&#8221;, that may be of significance. A keyword is defined as: &#8220;an informative word used in an information retrieval system to indicate the content of a document&#8221;. They may use this variable to find screenshot files and potentially scan\/upload\/use them. However<em>,<\/em> this may have legitimate use in categorizing images for upload by the user or be non malicious. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network Information<\/h3>\n\n\n\n<p>It also collects lots and lots of Network data. The app uploads full lists of network contacts, SMS logs, IP, local IP, MAC address information, and probably anything else it can read from the phone (which is virtually everything).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Facial Data\/Recognition<\/h3>\n\n\n\n<p>TikTok includes facial verification code as well, which upon first glance I believed to be for the face filters they include, but does a little more than that. The code includes <a aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"http:\/\/web.archive.org\/web\/20210505223345\/https:\/\/developer.toutiao.com\/facial_recognition_protocol\" target=\"_blank\">a link to this domain (archived)<\/a>. Translating said domain states:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1555\" height=\"456\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" src=\"https:\/\/i1.wp.com\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_1.png?fit=660%2C193&amp;ssl=1\" alt=\"\" class=\"wp-image-757\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_1.png 1555w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_1-300x88.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_1-1024x300.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_1-768x225.png 768w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_1-1536x450.png 1536w\" \/><figcaption>Oops, my bad. Should&#8217;ve known I had to reverse-engineer the app, extract a developer URL, and then get a translator just to see that I&#8217;d even agreed to facial recognition logging by &#8216;continuing to use this service&#8217;.<\/figcaption><\/figure>\n\n\n\n<p>And further on, it states what I believe to be particularly interesting:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1573\" height=\"708\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" src=\"https:\/\/i2.wp.com\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_2.png?fit=660%2C297&amp;ssl=1\" alt=\"\" class=\"wp-image-758\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_2.png 1573w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_2-300x135.png 300w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_2-1024x461.png 1024w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_2-768x346.png 768w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_bytedancewebsite_2-1536x691.png 1536w\" \/><figcaption>Near the bottom it states facial images are transmitted to the parties listed above.<\/figcaption><\/figure>\n\n\n\n<p>In specific: <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>ByteDance developed this function, which includes but not limited to the Ministry of Public Security&#8217;s &#8220;Internet +&#8221; trusted identity authentication platform, &#8220;Query Center&#8221; and other institutions to provide verification data and technical support.<\/p><\/blockquote>\n\n\n\n<p>This is very important because it mentions a &#8220;Ministry of Public Security&#8221;, and an &#8220;Internet+&#8221; identity authentication platform\/program of some sort, and it also states near the bottom of the same translated text that facial images and identity verification results + data is transmitted to said 3rd party.<\/p>\n\n\n\n<p>What is the Ministry of Public Security? <a aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Ministry_of_Public_Security_(China)\" target=\"_blank\">A Google search quickly turns up results<\/a>. They &#8220;operate the system of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Public_Security_Bureau\">Public Security Bureaus<\/a>, which are broadly the equivalent of police forces or police stations in other countries&#8221;, and were &#8220;established in 1949 (after the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Communist_Party_of_China\">Communist<\/a> victory in the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Chinese_Civil_War\">Chinese Civil War<\/a>)&#8221;.<\/p>\n\n\n\n<p>It seems they serve the Chinese Communist Party, or are at least connected to the government in a very direct way. <\/p>\n\n\n\n<p>And what is the trusted identity authentication platform? More research turns up articles such as <a aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"http:\/\/web.archive.org\/web\/20210505230320\/https:\/\/www.theverge.com\/2017\/8\/28\/16217602\/china-censorship-real-identities-weibo-blogging-all-content\" target=\"_blank\">this<\/a>, and <a aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"http:\/\/web.archive.org\/web\/20210505230425\/https:\/\/www.bbc.com\/news\/technology-41081676\" target=\"_blank\">this<\/a>. It appears likely all facial recognition data would be sent back to China and saved by various parties.<\/p>\n\n\n\n<p>TikTok seems to be sending facial recognition data of anyone who uses the app back to some sort of 3rd party associated with the CCP that has all the other information combined. This could create a very scarily comprehensive profile and location on high-interest targets China wants to keep track of. Additionally, it can use <a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/web.archive.org\/web\/20210426170431\/https:\/\/www.theverge.com\/2018\/4\/11\/17225482\/facebook-shadow-profiles-zuckerberg-congress-data-privacy\" target=\"_blank\" rel=\"noreferrer noopener\">shadow tracking<\/a>, which is a term pioneered by the era of Facebook. Shadow tracking or shadow profiles are collected data or hidden profiles of people that don&#8217;t use the app but TikTok can keep tabs on because of connections. For instance, when you upload your contacts to TikTok, it will track the names you&#8217;ve assigned to each contact and use that data in cross-checks with other uploaded contacts of your friends. For every person that uploads their contacts. This can quickly create a vast network of phone numbers and identities, even for people who aren&#8217;t associated with TikTok at all. Combining facial recognition data with shadow tracking techniques, and everything listed in this post could make for a pretty sophisticated tracking tool.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Address<\/h3>\n\n\n\n<p>I&#8217;ve used TikTok for a while before now, and I&#8217;ve never been asked to enter my address, city, or where I live. However, the TikTok app contains code to parse and send addresses of locations. This is probably to generate addresses from locations collected for internal logging and ease of viewing user&#8217;s geographical locations. This is not to say that is malicious.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Clipboard<\/h3>\n\n\n\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\" style=\"grid-template-columns:77% auto\"><figure class=\"wp-block-media-text__media\"><video controls src=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_spyware_clipboard_iosnotif.mp4\"><\/video><\/figure><div class=\"wp-block-media-text__content\">\n<p class=\"has-large-font-size\"><\/p>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<p>Source: <a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/web.archive.org\/web\/20210506011606\/https:\/\/twitter.com\/jeremyburge\/status\/1275896482433040386\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/web.archive.org\/web\/20210506011606\/https:\/\/twitter.com\/jeremyburge\/status\/1275896482433040386<\/a><\/p>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/archive.today\/hKlpH\" target=\"_blank\" rel=\"noreferrer noopener\">And more information here about clipboard collection<\/a> by ByteDance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Phone Data<\/h3>\n\n\n\n<p>TikTok collects lots of data about the device you are using to access their app. Installed app list, device ID, phone name, phone storage, etc. Extrapolating from this, it also probably collects more data not proven here.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Rooted\/Jailbroken Status<\/h3>\n\n\n\n<p>Detects whether or not you&#8217;re rooted. This isn&#8217;t that big of a deal but I thought it was worth a mention. Could be used in combination with other obfuscation techniques to hide nefarious actions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Problems<\/h3>\n\n\n\n<p>Beyond straight up tracking and collecting data about their users, there is also a number of fundamental design issues with the app as well. For instance, the app uses out of date cryptographic algorithms, including MD5 and SHA-1 for hashing. <a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/web.archive.org\/web\/20210506015004\/https:\/\/tools.ietf.org\/id\/draft-lvelvindron-tls-md5-sha1-deprecate-01.html\" target=\"_blank\" rel=\"noreferrer noopener\">Both of which have been broken wide open and are no longer secure.<\/a> Additionally, the app used to only use HTTP, not HTTPS until recently, and that exposed user&#8217;s emails, date of birth, and username in plaintext to anyone smart enough to look for it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Execution of Remote Code &amp; System Calls<\/h3>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"https:\/\/i.imgur.com\/VAr0Vjg.png\" target=\"_blank\">Some research states TikTok executes OS commands directly on the phone<\/a> and has the ability to download remote .zip files, extract them, and execute arbitrary binaries on your device, allowing TikTok to run whatever code they want. While I don&#8217;t doubt this is possible, I have not personally verified the code in my research. However, I would not put it past the app to have this capability. Perhaps it&#8217;s better hidden now.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Keystrokes in the Browser<\/h3>\n\n\n\n<p>The app was tested with <a rel=\"noreferrer noopener\" href=\"https:\/\/inappbrowser.com\/\" target=\"_blank\">inappbrowser.com<\/a> which shows all JavaScript events that are hooked. If you open this page in your browser, no events will show. This is a good thing. There are no events being monitored in a default, safe browser. The site is meant to show how a 3rd party app is abusing its in app browser. TikTok happens to monitor all keystrokes and key inputs in its in app browser, so the output looks a little more like below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"479\" height=\"1024\" sizes=\"auto, (max-width: 479px) 100vw, 479px\" src=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2022\/08\/TikTok_keyeventmonitor-479x1024.jpg\" alt=\"inappbrowser.com report text for tiktok in app browser\" class=\"wp-image-2515\" srcset=\"https:\/\/rose.dev\/blog\/wp-content\/uploads\/2022\/08\/TikTok_keyeventmonitor-479x1024.jpg 479w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2022\/08\/TikTok_keyeventmonitor-140x300.jpg 140w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2022\/08\/TikTok_keyeventmonitor-768x1641.jpg 768w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2022\/08\/TikTok_keyeventmonitor-719x1536.jpg 719w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2022\/08\/TikTok_keyeventmonitor-958x2048.jpg 958w, https:\/\/rose.dev\/blog\/wp-content\/uploads\/2022\/08\/TikTok_keyeventmonitor.jpg 1080w\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security Research Files<\/h2>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/penetrum.com\/research\" target=\"_blank\" rel=\"noreferrer noopener\">Penetrum Security<\/a> wrote an in-depth paper on TikTok if you&#8217;re interested in reading into a lot of what I&#8217;ve discovered here, and also compared how much data Facebook, Twitter, and common social media apps collect vs. TikTok. They&#8217;ve done great work and I&#8217;ve archived those files here. The data collection comparison paper is very interesting (second download). <\/p>\n\n\n\n<div class=\"wp-block-file\"><a id=\"wp-block-file--media-885ab72c-e2db-4e31-a2fa-872406db01dc\" href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_security_analysis.pdf\">security_analysis.pdf<\/a><a href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_security_analysis.pdf\" class=\"wp-block-file__button\" download aria-describedby=\"wp-block-file--media-885ab72c-e2db-4e31-a2fa-872406db01dc\">Download<\/a><\/div>\n\n\n\n<div class=\"wp-block-file\"><a id=\"wp-block-file--media-e63b2d38-8d5f-4719-90b8-cae21d2a6e87\" href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_datacollectioncomparison.pdf\">datacollectioncom.pdf<\/a><a href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_datacollectioncomparison.pdf\" class=\"wp-block-file__button\" download aria-describedby=\"wp-block-file--media-e63b2d38-8d5f-4719-90b8-cae21d2a6e87\">Download<\/a><\/div>\n\n\n\n<div class=\"wp-block-file\"><a id=\"wp-block-file--media-a1469882-a3c7-495b-8b28-a6768b17cd57\" href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_static_analysis_10.8.0.pdf\">static_analysis.pdf<\/a><a href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_static_analysis_10.8.0.pdf\" class=\"wp-block-file__button\" download aria-describedby=\"wp-block-file--media-a1469882-a3c7-495b-8b28-a6768b17cd57\">Download<\/a><\/div>\n\n\n\n<div class=\"wp-block-file\"><a id=\"wp-block-file--media-b394128c-4c03-4f6d-a872-d02124a7d05b\" href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_pulled_urls.txt\">used_loaded_urls.txt<\/a><a href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_pulled_urls.txt\" class=\"wp-block-file__button\" download aria-describedby=\"wp-block-file--media-b394128c-4c03-4f6d-a872-d02124a7d05b\">Download<\/a><\/div>\n\n\n\n<div class=\"wp-block-file\"><a id=\"wp-block-file--media-ef5e92b2-d7a1-4b05-bb54-975760cc482f\" href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_ip_address_list.txt\">ip_address_list.txt<\/a><a href=\"https:\/\/gmr.dev\/blog\/wp-content\/uploads\/2021\/05\/tiktok_ip_address_list.txt\" class=\"wp-block-file__button\" download aria-describedby=\"wp-block-file--media-ef5e92b2-d7a1-4b05-bb54-975760cc482f\">Download<\/a><\/div>\n\n\n\n<p>I&#8217;m not the only one who has come to these conclusions, as well. <a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/web.archive.org\/web\/20210129161144\/https:\/\/old.reddit.com\/r\/videos\/comments\/fxgi06\/not_new_news_but_tbh_if_you_have_tiktiok_just_get\/fmuko1m\/\" target=\"_blank\" rel=\"noreferrer noopener\">This reddit post<\/a> and <a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/web.archive.org\/web\/20210506002249\/https:\/\/blog.zimperium.com\/zimperium-analyzes-tiktoks-security-and-privacy-risks\/\" target=\"_blank\" rel=\"noreferrer noopener\">other security researcher<\/a> both found similar findings.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<p>So, social media or spyware? Why not both?<\/p>\n\n\n\n<p>I&#8217;m probably going to continue to use the app, but I&#8217;ll be sure not to say <a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/web.archive.org\/web\/20210506015317\/https:\/\/www.theguardian.com\/world\/2018\/aug\/07\/china-bans-winnie-the-pooh-film-to-stop-comparisons-to-president-xi\" target=\"_blank\" rel=\"noreferrer noopener\">Xi Jinping looks like Winnie the Pooh<\/a> or mention the <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/en.wikipedia.org\/wiki\/Organ_harvesting_from_Falun_Gong_practitioners_in_China\" target=\"_blank\" rel=\"noreferrer noopener\">Falun Gong genocide<\/a>. At least, not while TikTok is watching.<\/p>\n<hr>\r\nIt helps me if you share this post\r\n<br\/>\r\n<br\/>\r\nPublished 2021-05-06 09:00:00 ","protected":false},"excerpt":{"rendered":"<p>TikTok is the most popular growing social media right now by far, surpassing the likes of Reddit, Snapchat, Twitter, Pinterest and Quora. And it&#8217;s much more popular among Gen Zs and Millenials. But TikTok was declared as a security threat and many have growing concerns about the operations of ByteDance as a whole. TikTok Source &hellip; <a href=\"https:\/\/rose.dev\/blog\/2021\/05\/06\/tiktok-social-media-or-spyware\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">TikTok: Social Media, or Spyware?<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[835,833],"tags":[799,802,801,795,797,798,792,794,796,791,790,789,800,793],"class_list":["post-732","post","type-post","status-publish","format-standard","hentry","category-misc","category-technology","tag-bytedance","tag-china","tag-chinese","tag-data","tag-facial-recognition","tag-facial-tracking","tag-media","tag-phone","tag-sms-logs","tag-social","tag-spyware","tag-tiktok","tag-toutiao","tag-tracking"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/posts\/732","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/comments?post=732"}],"version-history":[{"count":16,"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/posts\/732\/revisions"}],"predecessor-version":[{"id":2536,"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/posts\/732\/revisions\/2536"}],"wp:attachment":[{"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/media?parent=732"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/categories?post=732"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rose.dev\/blog\/wp-json\/wp\/v2\/tags?post=732"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}