
Guy Who Reverse-Engineered TikTok Reveals the Scary Things He Learned - ko3us
https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/
======
Thorrez
2 days ago:
[https://news.ycombinator.com/item?id=23665084](https://news.ycombinator.com/item?id=23665084)

4 days ago:
[https://news.ycombinator.com/item?id=23638129](https://news.ycombinator.com/item?id=23638129)

------
creato
I don't doubt at all that TikTok is super shady, but

> I'm getting a lot of DM's asking me to prove the majority of this with a
> paper and snippets of the offending code. I have a decent amount of my notes
> on my other laptop that recently had a motherboard failure and the majority
> of that data is on the laptop's SSD. It's a macbook pro, so recovering the
> data isn't exactly super simple. I have some frida scripts that I pushed to
> my git server as well as some markdown files + conversation logs I've had
> with exploit devs, but not much else. In order to get everyone the proof
> they require, I'll likely need to reverse the app all over again which isn't
> something I have time for right now.

Just sounds like "my dog at my homework".

~~~
TheSpiceIsLife
My 2013 MacBook Pro Retina recently died too, but anything worth keeping or
working on was stored in free-tier Dropbox, which has multi version history
too.

And I'm just a dumb boiler-maker / welder.

It seems absurd to me that anyone with half a technical clue wouldn't use some
kind of off-device / off-sit backup.

~~~
gpm
To be honest - I know I should - but I don't either.

Lots of people with technical clue's are also _lazy as fuck_ about doing
uninteresting work like setting up proper backups. Also somewhat paranoid
about putting backups on other peoples infrastructure like dropbox (especially
unencrypted).

~~~
whoopdedo
Overconfidence. We somehow cling to this absurd notion that we're capable
enough to perform an emergency recovery if necessary. Never mind that we've
already experienced the difficulty of losing data one way or another, the
delusion yet persists.

I just wish affordable tape drives never disappeared.

------
est
Disclosure: am a dev working in the MCN business.

The "private data" the app collected, is used, for most part, fingerprint the
unique user.

In every MCN app, there was a huge fake user problem. If an app collect zero
identifiable fingerprint, then a spammer can easily fake millions of views and
manipulate ranked content. The app developers are asked think clever to
collect every piece of info they can, while spammers spent night and days
spoof every parameter in a virtual machine or even on a matrix of remote
controlled real phones.

For example, if a iPhone 11 user logs in, but only with screen resolution of
320x240, is it legit? I have caught tens of thousands of fake users with
simple checks like this. However the tricks expires pretty quickly, you have
to move on with new feature checks, together with decision trees and bayesian
networks.

Some of the fingerprint collecting SDKs are even using native code to check
some ARM specific instructions to tell if the device is fake or not. The
parameters check had to be done in every important API calls, or spammers can
easily pretend be good citizen during parameter checking process and swap the
session to a cheaper VM/phone or spam the targeted API with scripts.

Chinese companies all have their own team dealing with frauds or spamming on
daily basis, the same way as everything can be faked in China.

Think cyber attacks from Chinese IPs are bad? Now imagine doing business in
China and all users of your product are bots, what methods do you have to
filter out the real human users? Good luck.

Many ads network SDKs are collecting user data in the same way. Otherwise it's
easy to spoof fake clicks and page views.

I not stating if it's the right or wrong thing to do, I am just saying it's
how things are done in current state of business.

~~~
wearhere
What’s MCN?

~~~
jiggunjer
HN seems guilty of frequently using obscure acronyms. Is this an SV culture
thing? Is it that hard to type things out or use a text-expanding app?

~~~
thiagocsf
What’s SV? (seriously)

~~~
jml7c5
Silicon Valley.

------
namelosw
There has been a lot of bash on TikTok recently. TikTok is by no means good,
but I'm yet to see it proofed much worse than counterparts from Western
companies.

A lot of videos and articles make me feels more like pure anti-China
sentiments, just like many similar campaigns did to Huawei last year.

It's fine call out the risk in terms of personal privacy, or national
security.

It's also fine to have and express anti-China sentiments, since everyone has
his/her own opinions.

But it annoys me there are a lot of people charging with only assumptions, or
play double standards just to make every Chinese business or Chinese person
looks evil. It's just hypocritical.

~~~
onion2k
_I 'm yet to see it proofed much worse than counterparts from Western
companies_

Telling people that TikTok is doing some shady stuff doesn't mean other
companies are better. It's not a competition to see which company is good and
which is bad. _Every_ company that employs user tracking should be highlighted
and asked to stop, and users should be informed about what the company is
doing, no matter where the company is based.

If it could be proven that _every_ social media app is covertly tracking users
that would not mean TikTok is good. It would mean every social media app is
bad.

~~~
fps_doug
But here, no proof was provided at all. It's just accusations. Whenever
there's an article about privacy issues with Facebook, WhatsApp, Google etc.
there's in most cases a real name attached to the findings, and in _all cases_
detailed information on what is leaked, how it is leaked, snippets of reverse
engineered code, etc.

In this case we have a random reddit shitposter calling himself an expert,
making wild accusations.

It's not about "which company is better", it's about holding them up to the
same standards.

------
wslh
Show me the reversed code... and show your work in reversing FB, WP, IG. This
is how security works you need to show actual reversing.

------
mrlala
Here's what I don't get about this.. I've seen all these various claims, and
to be frank I did uninstall tiktok just recently as I only enjoyed it for
about a week or so then lost interest, and there's all this stuff coming up
about it....

All these claims I see sound like EVERY SINGLE APP could be doing the same
thing. Are both iOS/Android really _that_ exposed that they can just get all
of this info without explicitly asking for permission? If they are bypassing
shit and recording your mic under the radar.. how the hell would apple/google
be letting a billion user+ app be doing this?

Something just doesn't pass the smell test here.

~~~
buran77
Every single app could be doing the same thing. They ask for pretty broad
permissions for purportedly innocent reasons but once given that access they
can use it for anything they choose. This happens because even tech educated
people (as you'd expect on HN) insist that they _want_ to sacrifice privacy if
it brings functionality [0]. A regular user is probably completely unaware
that this could even be a problem. From their perspective they're just getting
cool features for free.

[0]
[https://news.ycombinator.com/item?id=23678303](https://news.ycombinator.com/item?id=23678303)

------
RantyDave
So, TikTok on my (Android) phone has a grand total of zero permissions. And
even if it is able to download and run some code, isn't it running in a
sandbox? I don't really understand the panic here...

~~~
BeatLeJuce
While the app might not be able to harm your phone, your grandma or daughter
might not be as tech savvy and grant permissions more freely. Also, even
though sandboxed, if you can download and run u known code on the devices of
billions of users, you have a very large phone-botnet at your disposal of you
ever need it

~~~
pietrovismara
Even if it wasn't your intention, it sounds like you're implying tech
savvyness is exclusive to men...please try to be inclusive, this industry
needs it so much.

------
bllguo
surprised people are so willing to accept these claims without proof,
especially here, where I imagine the number of people who could actually do
the work this person claimed to is disproportionately high

~~~
weeks
The technical claims don't seem very far fetched. They're basically describing
every banking "anti-fraud SDK" I've ever reversed.

------
jb775
So is the primary concern about the lengths TikTok goes to scrape user data?
Or more-so that it's a Chinese company scraping user data?

I'd assume apps like fb/twitter/snapchat/etc scrape just as much. And since
the US gov basically forces them to install backdoors, isn't that worse than
this whole TikTok privacy conversation? Maybe I'm missing something though.

~~~
anjbe
> I'd assume apps like fb/twitter/snapchat/etc scrape just as much.

The author claims otherwise:

“For what it's worth I've reversed the Instagram, Facebook, Reddit, and
Twitter apps. They don't collect anywhere near the same amount of data that
TikTok does, and they sure as hell aren't outright trying to hide exactly
whats being sent like TikTok is. It's like comparing a cup of water to the
ocean - they just don't compare.”

~~~
searchableguy
I said this before on the previous thread. Without knowing the author's
background, you can't trust his claim. Either he provides reproducible
evidence or has something backing up his claims.

------
mdrabla
Here's a mirror of the video (from the OP of that thread):

[http://www.youtube.com/watch?v=I_fyz5rOwFc](http://www.youtube.com/watch?v=I_fyz5rOwFc)

------
leptoniscool
Extraordinary claims require extraordinary proof.

~~~
PurpleRamen
How are those claims are extraordinary? It's stuff that all apps are doing to
some degree.

------
znpy
«Sorry, this post has been removed by the moderators of r/videos.»

Also, the video is unavailable on youtube.

~~~
22c
OP may have intended for you to read the top comment of the post

[https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...](https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/fmuko1m/)

------
skee0083
Annnd all the links have been removed...

~~~
slantaclaus
Mirror to video shared in post:
[https://youtu.be/I_fyz5rOwFc](https://youtu.be/I_fyz5rOwFc)

------
tragiclos
What makes this so much more objectionable than the myriad ad tracking
networks on most web pages?

------
sAbakumoff
>> I have a decent amount of my notes on my other laptop that recently had a
motherboard failure and the majority of that data is on the laptop's SSD. It's
a macbook pro, so recovering the data isn't exactly super simple.

Isn't it an excellent sample of "the cat ate my code" excuse?

------
dancemethis
Imagine when it's done with Discord.

------
nix23
>thinly-veiled as a social network

I think i read that exact sentence here on HN, oh and my Dog eat all the
proofs. No need to do it again ;)

------
crzydreamwalkr
The link has been removed from both reddit and Youtube, is there any other
link available to read the actual post.

------
FooBarWidget
From a legal perspective, it seems that Tiktok is mostly (but not completely)
covered. They mention these activities in their privacy statement. The
statement is not clear enough on what each individual activity is used for:
they put a lot of activities under an umbrella reason such as "providing tech
support" and "collection for analytics partners".

It doesn't make their activities right, of course. But it's debatable whether
_legally_ speaking, they are in violation of privacy laws.

I think they have a higher chance of violating EU privacy laws than US ones.
GDPR is quite strict: you need to have a good reason for doing something, not
merely mentioning that you'll do something.

I think it's also interesting to know that Tiktok's servers are in Singapore.

------
greatjack613
Not surprised at all, Tik Tok has clear ties to china and with all things
china comes the governments control. chances are china was using Tik Tok as a
global surveillance tool.

~~~
johannes1234321
And everything from the U.S. comes with prism and national security letters.

~~~
greatjack613
Valid point, but I prefer a democratic govt spying on me then a totalitarian
govt with world conquer ambitions, and a history of suppressing minorities

~~~
Shorel
As someone who was born and lives in neither of these countries, both have
conquer ambitions and a history of suppressing minorities.

The USA is just much better at pretending everything it does is rightful.

~~~
freshhawk
Americans do the American Exceptionalism Poe's Law thing nonstop and I
alternate between exhaustion and a sense of humor about it.

I mean, "a history of suppressing minorities" in the summer of 2020 is very
funny. It does feel like Gen Z kids are aware of global events enough to not
fall for this, so maybe it is ending.

------
dathinab
Uhm, video disappeared or silently geo-blocked.

------
bobbydreamer
It's there a tiktok proxy app.

------
chrischen
This guy's comment (prosound2000) pretty much tells it like it is:

> The problem here is Facebook, Instagram and Twitter are US based companies
> that are beholden to the government. While sure you have lobbying going on,
> they are ultimately separate from the government, and if are found in
> violation of certain laws will be prosecuted or at least brought in front of
> congress and can face stiff penalties in the US. TikTok IS the Chinese
> government. They are beholden to no one. They can't break the law since they
> are the law.

Well, he almost has it figured out. We are all actually beholden to our
governments. Even Apple allegedly held off on iCloud encryption because of FBI
pressure, not to mention constant right-wing efforts to destroy encryption and
force companies to insert backdoors. China has a stronger central authority
(therefore easier to force companies to do things), but the US is itching to
go that route as well. Fighting it means preserving an actual ideological
backbone, rather than simply consolidate all power to destroy our enemies.

If we lose our sights on encryption, separation of our corporate entities from
our government, then we are just China but in a different location.

