TikTok: Social Media, or Spyware?

TikTok is the most popular growing social media right now by far, surpassing the likes of Reddit, Snapchat, Twitter, Pinterest and Quora.

It is also much more popular among Gen Zs and Millenials:

The numbers are probably skewed a bit because most children put older ages when an app asks their age until they are an adult… I am guilty of that myself.

Which is why it came as a shock to some people when the U.S. government declared Tik Tok a security threat.

https://www.cnet.com/news/the-us-government-wont-detail-why-tiktok-is-a-security-threat/

Well, if the government doesn’t want to tell us, we’ll have to find out for ourselves.

Step 1: Obtain Tik Tok source code (unfortunately can’t tell you how to do this)

This is the step most people might get stuck on…

Step 2: Spend hours looking through TikTok source code for suspicious things

Step 3: Share!


Beyond initial paranoia, let’s be realistic about what apps collect. Even Google collects IP (and therefore geographic location), and other pieces of personal data:

Google might collect far more personal data about its users than you might even realize. The company records every search you perform and every YouTube video you watch. Whether you have an iPhone or an Android, Google Maps logs everywhere you go, the route you use to get there and how long you stay — even if you never open the app.

So then what are we looking for? How is this different? For one thing, Google, Facebook, Reddit, and Twitter apps don’t collect anywhere near the same amount of data that TikTok does, and they don’t obfuscate and hide their methods sneakily like TikTok. Additionally, TikTok has some weird code in it that no normal social media app should have. Here’s a quick comparison of the APIs TikTok accesses vs the Facebook app:

They both collect data, but TikTok collects more. And needs access to your SMS messages for some reason, even though it doesn’t interact with that…

I’ll see if I can deconstruct what the TikTok app can/does do and why it might do it, and you can make your own judgement at the end of the day. However, most of this is scary because TIKTOK CAN REMOTELY CONTROL, ENABLE, DISABLE, AND ADD MORE TRACKING/LOGGING FEATURES WITHOUT UPDATING THE APP THROUGH THE STORE.

Things TikTok Collects

  • Location (once every 30 seconds for some variants of the app…)
  • Phone Calls
  • Screenshots(?)
  • Network Information (Wifi Networks’ SSID, MAC address, Carrier, Network Type, IMSI (possible), IMEI, local IPs, other devices on the network…)
  • Facial Data
  • Address(?)
  • Clipboard
  • Phone Data (cpu, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
  • Installed Apps
  • Rooted/Jailbroken Status

Location

Most apps collect your location, so there’s nothing too fishy about this. However, one could argue that your location is not useful to TikTok’s general functioning and therefore shouldn’t attempt to locate you so often or at all unless you’re using a feature that takes advantage of that. The data collected here includes your latitude and longitude, and exact location if they can pull it from the WiFi (done in the wifi collecting code).

Phone Calls/Call Log/Phone Number

TikTok requires you to provide a phone number upon signup on most occasions to function normally within the app, so they can link your identity to your phone number. They also collect your call log (people you’ve called) and have the permission to make calls from your device, although I’ve never heard of a case of this happening. Phone numbers are generally very unique, so this combined with location and name would already be enough to identify virtually anyone using this app in the U.S.

Screenshots

The app hooks an observer at some point (it would make sense to be on app load) that watches when the user takes screenshots. It’s unlikely this code can run in the background or does, but the app at least knows everything you take a screenshot of while using the app. Additionally, TikTok includes a string KEYWORDS that may be of significance. A keyword is defined as: “an informative word used in an information retrieval system to indicate the content of a document”. They may use this variable to find screenshot files and potentially scan/upload/use them. However, this may also have legitimate use in categorizing images for upload by the user.

Network Information

It also collects lots and lots of Network data. There doesn’t seem to be much legitimate use case for the collection of this data, beyond analytics of some sort. Regardless, the app uploads full lists of network contacts, SMS logs, IP, local IP, MAC address information, and probably anything else it can read from the phone (which is virtually everything).

Facial Data/Recognition

TikTok includes facial verification code as well, which upon first glance I believed to be for the face filters they include, but does a little more than that. The code includes a link to this domain (archived just in case). Translating said domain states:

Oops, my bad. Should’ve known I had to reverse-engineer the app, extract a developer URL, and then get a translator just to see that I’d even agreed to facial recognition logging by ‘continuing to use this service’.

And further on, it states what I believe to be particularly interesting:

IMPORTANT TO READ! Near the bottom it states facial images are transmitted to the parties listed above.

In specific:

ByteDance developed this function, which includes but not limited to the Ministry of Public Security’s “Internet +” trusted identity authentication platform, “Query Center” and other institutions to provide verification data and technical support.

This is very important because it mentions a “Ministry of Public Security”, and an “Internet+” identity authentication platform/program of some sort, and it also states near the bottom of the same translated text that facial images and identity verification results + data is transmitted to said 3rd party.

What is the Ministry of Public Security? Well, a Google search quickly turns up results. They “operate the system of Public Security Bureaus, which are broadly the equivalent of police forces or police stations in other countries”, and were “established in 1949 (after the Communist victory in the Chinese Civil War)”.

So, they serve the Chinese Communist Party, or are at least connected to the government in a very direct way.

Okay, and what is the trusted identity authentication platform? More research turns up articles such as this, and this, so it’s not hard to imagine. Forcing users to identify themselves could be disastrous for some Chinese citizens: “Another user – nicknamed mnbxkd, from Zhaoqing, Guangdong Province – wrote: ‘After commenting on the government, one will be thrown into prison on charges of subversion of state power.'”

TikTok seems to be sending facial recognition data of anyone who uses the app back to some sort of 3rd party associated with the CCP that has all the other information combined. This could create a very scarily comprehensive profile and location on high-interest targets China wants to keep track of. Additionally, it can use shadow tracking, which is a term pioneered by the era of Facebook. Shadow tracking or shadow profiles are collected data or hidden profiles of people that don’t use the app but TikTok can keep tabs on because of connections. For instance, when you upload your contacts to TikTok, it will track the names you’ve assigned to each contact and use that data in cross-checks with other uploaded contacts of your friends. For every person that uploads their contacts. This can quickly create a vast network of phone numbers and identities, even for people who aren’t associated with TikTok at all. Combining facial recognition data with shadow tracking techniques, and everything listed in this post could make for a pretty sophisticated tracking tool.

Address

I’ve used TikTok for a while before now, and I’ve never been asked to enter my address, city, or where I live. However, the TikTok app contains code to parse and send addresses of locations. This is probably to generate addresses from locations collected for internal logging and ease of viewing user’s geographical locations. This is not to say that is malicious.

Clipboard


Source: http://web.archive.org/web/20210506011606/https://twitter.com/jeremyburge/status/1275896482433040386

And more information here about clipboard collection by ByteDance.

Phone Data

TikTok collects lots of data about the device you are using to access their app. Installed app list, device ID, phone name, phone storage, etc. Extrapolating from this, it also probably collects more data not proven here.

Rooted/Jailbroken Status

Detects whether or not you’re rooted. This isn’t that big of a deal but I thought it was worth a mention. Could be used in combination with other obfuscation techniques to hide nefarious actions.

Other Problems

Beyond straight up tracking and collecting data about their users, there is also a number of fundamental design issues with the app as well. For instance, the app uses out of date cryptographic algorithms, including MD5 and SHA-1 for hashing. Both of which have been broken wide open and are no longer secure. Additionally, the app used to only use HTTP, not HTTPS until recently, and that exposed user’s emails, date of birth, and username in plaintext to anyone smart enough to look for it.

Execution of Remote Code & System Calls

Some research states TikTok executes OS commands directly on the phone and has the ability to download remote .zip files, extract them, and execute arbitrary binaries on your device, allowing TikTok to run whatever code they want. While I don’t doubt this is possible, I have not personally verified the code in my research. However, I would not put it past the app to have this capability. Perhaps it’s better hidden now.

Security Research Files

Penetrum Security wrote an in-depth paper on TikTok if you’re interested in reading into a lot of what I’ve discovered here, and also compared how much data Facebook, Twitter, and common social media apps collect vs. TikTok. They’ve done great work and I’ve archived those files here. The data collection comparison paper is very interesting (second download).

I’m not the only one who has come to these conclusions, as well. This reddit post and other security researcher both found similar findings.


So, social media or spyware? Why not both?

I’m probably going to continue to use the app, but I’ll be sure not to say Xi Jinping looks like Winnie the Pooh or mention the Falun Gong genocide. At least, not while TikTok is watching.


My Patreon | My Website

Blog Style Refresh

Wow, it’s been a long time since I began this blog. Four years and counting, to be precise, and lots of stuff has happened since that point. I’ve realized I hadn’t touched the blog css or general theme since inception, so I decided to spruce it up a little bit. The style refresh was much needed and I think it looks pretty good!

It’s cool to look over the archives and see what I’ve created since that point.

That’s all this blog is for, after all. 😄 Writing practice, and fun. Hopefully whomever visits gets a small amount of enjoyment from it as well.

Here’s the first post that was ever made on the blog:
https://gmr.dev/blog/2017/02/17/moved-to-wordpress/


My Patreon | My Website

Testimonials & Upwork Reviews

Some nice reviews by clients. Mostly putting these on the blog to link between my website and Upwork.

Genevra was nothing short of AMAZING! We needed functionality on our nonprofit’s website we weren’t sure how to do and she connected all the dots perfectly and SUPER fast. She’s extremely knowledgable, incredibly thorough, patient, kind, and responsive! Genevra answered a MILLION questions I asked (I’m curious, what can I say!?) and explained everything in a way that made sense to a relatively non-technical person. Honestly, our team was quite hesitant to use Upwork in the first place since we had never used it before and are a small charity. (Thus, we have very little risk we can take on as it relates to our tiny budget!) Part of it was also that we didn’t even know exactly what we needed or how to accomplish what we wanted to do. Genevra put all of those worries to rest as we exchanged messages back and forth before deciding to work together. She was very fair and transparent on pricing and worked with us. She also instantly knew how to help us and the best approach to take for what we were trying to do. It was TOO easy. If you’re looking for someone you can trust, please look no further and hit Genevra up – even if you don’t necessarily know what you need, trust her to help you find it! I’m sure if she doesn’t know she can at least point you in the right direction! We will certainly trust her with any future tech/software project. Genevra rocks!

https://www.upwork.com/jobs/~014ce5e09030e7b1c1

Working with Genevra was a great experience. She was professional, quick, and solved the issue I had run into with ease. I would recommend her to anyone looking for a great freelance web developer!

https://www.upwork.com/jobs/~019da05fa9f035f24a

Gen did a great job with minimal revisions. She also noticed other problems we were unaware of and brought up on her own initiative. Looking forward to working with her again!

https://www.upwork.com/jobs/~015284d820ba99220b

More reviews/hire me on Upwork here

or click this link below

https://www.upwork.com/freelancers/~0198b8b2130c1dc9a0

If you would like to discuss a project or hiring me, you can always use my website to contact me directly.


My Patreon | My Website

Windows is getting rid of Flash Player for good… but Flash’s gaming legacy lives on through Flashpoint!

This project has been in the works for a while now but it’s only just now kinda reached a good point that I would feel comfortable recommending it to others.

Since Adobe ended support for Flash in 2020, not a lot of people have missed it. However, a lot of Gen Z/Millennials grew up with Flash games as part of their childhood or have a fair bit of nostalgia around certain animations or videos. Newgrounds, StickPage, Armor Games, Kongregate, and probably many more Flash portals have been rendered virtually useless, and hardly anyone plays browser games regularly anymore.

If you ever get that itch of nostalgia or feel like watching some of the old classics that once made the internet great, check out BlueMaxima’s Flashpoint! It’s a great project that aims to restore and archive great Flash content.

You do not need Flash Player to use it. That’s the whole point. You download the lightweight .exe from here, and simply look through a nice game list with a simple “PLAY” launch option.

Flashpoint Infinity is the one you want!
Double click this file once downloaded and run!

Once you launch it, you’ll be greeted with this nice user interface:

It’s a very respectable project and I highly commend them on their technological work and exhaustive manual labor of collecting all of these files/external resources and even custom-hacking some of the games to make them run as originally intended.

I highly recommend you check it out if you have time.

Oh, also, they archived Concussion. 😋


My Patreon | My Website

Searchifier not working? Windows probably updated. Read this.

Searchifier works by handling the request send by your start menu to Edge and translating that to a link your other browser can handle. Windows 10’s latest update breaks this functionality by preventing automatically updating your default link handler at all.

You can fix it by doing this:

  1. Install Searchifier
  2. Go to Windows 10’s Settings
  3. Apps > Default Apps > Choose default apps by protocol (scroll down)
  4. Scroll to where it says “Microsoft-Edge”
  5. Click and change to Searchifier

It should work now!

If you need help getting it working, feel free to contact me.

Keywords not working, update, gmr, genevra, search, browser, link handling, bing redirect, broken


My Patreon | My Website