
Not new news, but tbh if you have tiktiok, just get rid of it – videos - mrfusion
https://www.reddit.com/r/videos/comments/fxgi06/comment/fmuko1m
======
dang
[https://news.ycombinator.com/item?id=23638129](https://news.ycombinator.com/item?id=23638129)

------
burlesona
Suggested title: reverse engineering TikTok to see how much data it collects.

At what point do Google and Apple consider banning the app? To be honest I’m
surprised (and disappointed) that an iOS app that does that much spying was
approved, especially the clipboard thing. That shouldn’t have passed app
review IMO.

~~~
peterkos
Apple risks damage to their brand by not allowing it. It's the same reason why
they politely ask Uber and Facebook to fix serious bugs in their apps, rather
than removing them with no comment, as they've proven to do with small iOS
devs.

------
parhamn
These seem like standard things any analytics tracker (including GA) tracks,
check out amiunique [1] for a set of things that can be tracked using your
favorite secure browser.

Yet, the rest of the content on Tiktok is very low threat. No chat, no
personal health forums, no private photos. It’s mostly a consumption platform
with very little input from the users besides those listed in the linked
thread (I don’t find that data particularly scary vs what we’ve accepted as
normal in the internet).

What’s scary about tiktok is how addictive it is and how it is very much
engineered and optimized to be so. Some in the new world are fine with this, I
am not.

[1] [https://amiunique.org/](https://amiunique.org/)

~~~
wavepruner
From the comment:

"For what it's worth I've reversed the Instagram, Facebook, Reddit, and
Twitter apps. They don't collect anywhere near the same amount of data that
TikTok does, and they sure as hell aren't outright trying to hide exactly
whats being sent like TikTok is. It's like comparing a cup of water to the
ocean - they just don't compare."

~~~
parhamn
Sure, very shady. My point is, I’d be much more concerned about a WeChat that
has your conversations, transaction history, etc than a non-topical video feed
(e.g unlike YouTube people don’t really look for STD/mental-health videos on
tiktok, and things that reveal a lot about a user).

------
searchableguy
I looked through the comments to see if someone could provide me steps or
evidence of what they did than just telling me about what they found. I have
no doubt tiktok is nefarious but most of the things are done by other players
with some security problems mixed in.

On remote security problems, check this recent facebook SDK issue -
[https://github.com/facebook/facebook-ios-
sdk/issues/1374](https://github.com/facebook/facebook-ios-sdk/issues/1374)

I think snapchat also tries to detect whether you are trying to snoop in.
There are many "privacy" focused app who employ those techniques. Not that I
trust tiktok to do it for privacy reasons but they are not alone.

Why should I trust zimperium with their automated reports without an
explanation of what they are checking. The link to report ask me about my
phone number, email, name, and what not. Seems ironic.

I stopped reading through the other link which points to nowhere now (someone
put a gdrive link in the comments). Why censor the code or is that just dummy
code to make it spicy?

I would avoid tiktok like I did before but don't blind yourself about other
popular non chinese apps.

I am also curious about the reason for adding a way to unzip and execute
binaries.

~~~
jjoonathan
Backdoors are "bad security practices rather than looking malicious"?

> There's also a few snippets of code on the Android version that allows for
> the downloading of a remote zip file, unzipping it, and executing said
> binary.

That sure looks malicious to me.

EDIT: Ditto for the active evasion.

> For what it's worth I've reversed the Instagram, Facebook, Reddit, and
> Twitter apps. They don't collect anywhere near the same amount of data that
> TikTok does, and they sure as hell aren't outright trying to hide exactly
> whats being sent

~~~
searchableguy
Yeah that one seems _bad_. Although isn't android cracking down on the
functionality?

I thought that was the reason why Termux wouldn't work anymore.

[https://github.com/termux/termux-packages/wiki/Termux-and-
An...](https://github.com/termux/termux-packages/wiki/Termux-and-Android-10)

I can't say anything about the second statement without knowing op's
background.

------
safog
Remote telemetry configuration and collecting basically everything they can
about the device isn't anything new really. I think mobile apps (especially on
Android) have been doing that since the beginning of time.

What's surprising for me is the claim that the behavior of the app changes if
it detects someone is inspecting it. This seems a bit handwavey to me and
would like a more detailed explanation if anyone has one.

At this point, I think for me the bars for me are:

Don't upload content that I haven't explicitly posted to your servers. This
can come in various forms:

\- Assuming you gave an app access to your album because you wanted to post
something from there. How do you know it's not simply uploading all your
photos and videos silently in the background?

\- Microphone data: Again you let an app record some video and thereby give
mic access to it, a malicious actor can then snoop in and listen to your
conversation whenever they want.

These criticisms apply to both iOS and Android although iOS is a little better
in terms of how background services work. Don't do mobile-dev as a profession,
so I'd appreciate it if anyone could correct me if the OS does enforce some
sort of protections here.

~~~
artsyca
How many of us developers would take a principled stand when tasked with
implementing features such as these and how many would silently comply?

I know I've folded unknowingly, adding all sorts of extra tracking including
behaviour tracking to my startup's web app and looking back now I believe it's
one of the reasons we ultimately failed because we broke trust with our users.

~~~
layoutIfNeeded
>How many of us developers would take a principled stand when tasked with
implementing features such as these and how many would silently comply?

Protip: comply to your manager and when it’s rolled out give an anonymous tip
to privacy watchdogs.

~~~
artsyca
Woa. Dude games without frontiers. That's some next level shit.

------
Thorrez
The youtube video says "Video unavailable"

[https://www.youtube.com/watch?v=xJlopewioK4](https://www.youtube.com/watch?v=xJlopewioK4)

------
angott
The app is also extremely good at avoiding censorship, which I find highly
ironic for a product made in China. I once tried to block TikTok at the DNS
level, and I realized that if you block any of their DNS names, the app will
start using encrypted DNS over HTTPS via 8.8.8.8 to circumvent your efforts.

------
aphroz
it is scarry that most users don't have any clue of what app collects and why
it matter. I feel like we are in the dark age of Internet when only few knows
how it work and 95% of the population trust them because they don't how it
works.

~~~
DevKoala
Exactly this. Even in this site, there are tons of questions from tech savvy
individuals who don’t understand the data business. The data is farmed and
sold to influence your purchase decisions, political preferences, dieting
habits, etc. It is also used by third parties to take decisions around the
risk on providing you with insurance, your credit worthiness and even legal
arguments.

Stop giving away your data.

------
booleandilemma
How different is tiktok compared facebook or any American social networking
app/company?

Is it just a decision of whether I want to give my data to the American
government or the Chinese government?

~~~
layoutIfNeeded
>Is it just a decision of whether I want to give my data to the American
government or the Chinese government?

iOS dev here. Facebook does the same with their SDK which is included in
basically every iOS app. Google does the same with the Firebase SDK which is
also included in every app. There are also tons of other SaaS companies
offering their own plug-and-play analytics SDKs, of which marketing managers
are eager to shove down the engineers throats as many as possible. It’s not
uncommon for a single app to host 6-7 different analytics SDKs from various
vendors. And this is on iOS, the supposedly “privacy conscious” platform. On
Android it’s total Wild West...

------
wslh
In the old days you spent more time reverse engineering an app before you make
a post or write an article.

------
apsec112
[deleted]

~~~
jjoonathan
Interesting, I had the opposite reaction: isn't it sad that a post with
genuinely insightful information and discussion momentum has to be prefixed
with "not new news" to head off the inevitable cloud of detractors who argue
that a lack of novelty implies that a subject isn't worth attention /
discussion / action?

------
mtgp1000
At this point, what are the odds that the Chinese government _isn 't_ involved
in tiktok?

~~~
oehtXRwMkIs
It would be absurd if they weren't. The party is involved in every big corp.
It would be incompetence to not be involved.

~~~
artsyca
The very same thing that is viewed as a strength ie oversight of everyone and
everything is also a weakness in its own right --

Classical example of "do you have the power to let go of power?"

