
I wasn’t recording anything but TikTok was using the microphone - kburman
https://np.reddit.com/r/ios/comments/hj7y3r/not_only_is_tiktok_copying_from_the_clipboard/
======
kevsim
I’ll be showing my age here - but is TikTok so important that it’s worth the
risk? I know teenagers aren’t going to care but are people on HN still using
this thing on their phones?

~~~
djeiasbsbo
I did install it but just to see what all of the fuss lately was about. I
didn't "reverse engineer" it but instead used XPrivacyLua permissions manager
to log the permission requests and NetGuard firewall application to log all
network traffic (these are FOSS android apps/tools).

I spoofed all of my device information such as IMEI, clipboard, phone number,
location, ssid and so on and then opened the application and used it for a
bit.

It is true that the app requests/uses almost all permissions regularily but
was that surprising? Not really... I'd say it behaves about the same as the
WhatsApp application, which seems to have a much better reputation.

I was surprised about the fact that TikTok has no login gate though. Videos
and comments can be consumed without an account. Even reddit these days is
forcing one to either log in or download their mobile app.

Would love to share my results/logs but I don't have a blog or really any
internet presence for that matter. If requested I would be down to analyse
some other apps as well and compare the results!

~~~
noman-land
How do you spoof all your info like IMEI and phone number?

~~~
djeiasbsbo
I used the Xposed Module "XPrivacyLua". On Android 10 it only runs in EdXposed
which itself is a Magisk Module; Magisk Root is needed.

I should mention though, AFAIK only the pro version of XPrivacyLua can spoof
these values and log when they are requested. I have it configured so that
they randomise at boot.

Also keep in mind that this is pretty useless if your IP is exposed. One would
just use your IP to gather the location, regardless of spoofed location
permissions. So you'd have to either have a firewall as well or use something
like Tor.

------
rammy1234
If you didnt pay for the service, then you are the product.

~~~
intopieces
There are two really important caveats to this statement:

(1) Just because you pay for a service doesn’t mean the company isn’t also
“double dipping” and collecting your data.

(2) There are plenty of free services — NextDNS, for example - for which you
aren’t the product. And of course there’s FOSS, which are not services but
come close.

~~~
ta17711771
Isn't NextDNS freemium?

~~~
rammy1234
It is. You have to pay for it. Nothing in this world is free.

~~~
intopieces
FOSS software is free. It’s even in the name!

