
TikTok: Logs, Logs, Logs - kkm
https://medium.com/@fs0c131y/tiktok-logs-logs-logs-e93e8162647a
======
oxymoran
None of that matters though. The point is this: TikTok is owned by ByteDance.
By definition, ByteDance is owned by the CCP. The CCP currently has
concentration camps and is starting to act fairly imperialistic and bellicose.
They clearly believe that their method of governance is superior to Democracy
and they have ambitions to become the worlds superpower. The point is that
they could use this to spy at any point in time if they wanted to even if they
aren’t at this very second. The CCP simply cannot be trusted and never should
have been in the first place. It is the exact same CCP that led to the death
of millions of innocent Chinese during the cultural revolution. They still
have portraits proudly displayed of Mao Zedong FFS.

~~~
FooBarWidget
You fear CCP propaganda. All right. But it seems that in your zeal to deny CCP
propaganda, you seem to forget that _all_ media is propaganda. All this
western media attention towards how CCP is evil and how Tiktok can be used to
spy or influence us, no matter whether they are right, are _also_ designed as
distractions from domestic issues.

Let's say we should ban Tiktok. Everybody's data is still being spied on by
the CIA, and gathered by PRISM.

Go one step further. Ban Tiktok _and_ Facebook, Twitter, etc.

~~~
kumarvvr
This is an incredibly bad faith argument. What are you saying? Because
everything is propaganda, either everything should be allowed or everything
should be banned?

What happens within the borders of a country is different, even if it is
spying and suppression of human rights and what not.

The destiny of a country should be in the hands of it's people. Be it good,
bad or worse. But if you allow propaganda from another country to enter into
your media, all is lost. Why? Because you lose faith in _everything_. How is
one sure the revolution in a country is pure bred from that country? How is
one sure the change one sought is because of the needs of the people of that
country?

It's an incredibly dangerous situation. Even if your own govt. spies on you,
stopping the propaganda of a foreign country takes precedence _at all costs_ ,
if necessary, even by war.

~~~
rydre
American social media app's dominate my country. Google 99% market share.
Facebook/Instagram 95% market share in social. 5eyes/PRISM (they're not gonna
forgive snowden, he ruined their reputation) monitors my country (not part of
the anglospehere) and I never consented.

Am I supposed to tell my government to block American apps so that I can
compete with American apps or on "national security" grounds? Because this is
the trend American's will see. And if Zuck is reading this, you're shooting
your own foot. What do you think is gonna happen? You're pitting the
government against TikTok because your company cannot compete fairly. You
think you'll win like this? Your Facebook/Instagram will get banned in future
by other democratic countries in future because of the precedent you're going
to be setting.

Let China do it's thing. It may very well turn out that their way of
governance is better. Losers stick to old ways, if it turns out it's the
superior system, they'll clearly be better.

But for a system to be proven takes decades/centuries. As long as China does
not force it's system, it's fine in my eyes.

~~~
kumarvvr
>Am I supposed to tell my government to block American apps so that I can
compete with American apps or on "national security" grounds?

The primary motive is to curb propaganda. If all the countries in the world
blocked data collection, businesses all over would stop data collection.

>You're pitting the government against TikTok because your company cannot
compete fairly

Perhaps. But if the new competing app also collects data, the govt. ought to
shut it down. Ultimately, I want _data collection_ to stop.

>It may very well turn out that their way of governance is better

Governance is different from protecting basic human rights. An authoritarian
government is a danger to the whole world. You can see that already happening
with Turkey.

~~~
FooBarWidget
How is Turkey a danger to the whole world?

And didn't the Turkish people vote in Erdogan?

------
diminish
> .. understand what data does TikTok regularly send back to its servers. I
> decrypted the content of the requests and analysed it. As far as we can see,
> in its current state, TikTok doesn’t have a suspicious behavior and is not
> exfiltrating unusual data. Getting data about the user device is quite
> common in the mobile world and we would obtain similar results with
> Facebook, Snapchat, Instagram and others.

------
strooper
Thanks for excellent technical analysis! I personally enjoyed reading your
article. However, to my knowledge, no decision maker is interested to learn
the technical details. Don't we know already this tiktok is just in the US-
China cross fire?

Our American friends are interested to teach our Chinese friends lessons by
hitting hard on their public business faces. Never mind not talking about
thousands of real state investments by Chinese people in US cities. Never
mind, not talking about CCP atrocities on the Xinjiang people going way back
at least 15 years (since when I am following).

It's not support for humanity, it's not about sudden urge for national
security, it's about politics and populism.

~~~
SpicyLemonZest
If it were just in the US-China crossfire, I'd expect to see a lot more voices
speaking out in defense of it. The decisionmakers themselves aren't
tremendously technical people, but technical people seem convinced there's a
real problem here.

------
tuyuri
It's important to say that BURP only deals with http like requests (
http/https websockets ) and the app can be sending/receiving data via other
protocols, the same way you can't see whatsapp messages via burp [0]

[0] - [https://security.stackexchange.com/questions/153944/burp-
wit...](https://security.stackexchange.com/questions/153944/burp-with-
whatsapp)

~~~
DarthGhandi
This is an excellent point.

Checking wireshark should really be done first.

------
alexnewman
I think America not allowing any Chinese product is not tenable and is a
rejection of free markets. We must have a way of making them safe, providing
penalties for violations of people's safety, and oversite provided by
independent corporate entities

~~~
solidasparagus
Markets are never fully free - ask any US company that has tried to sell to
the Chinese market. What we are seeing here is the first truly global Chinese
app. The US is grappling with the fact that China makes it very difficult for
American companies to access the China market, but the US generally does not
do the same for foreign countries. However, maintaining that approach puts US
companies in a distinct disadvantage.

~~~
DarthGhandi
> ask any US company that has tried to sell to the Chinese market

Like Boeing, Microsoft, GM, Apple, KFC, McDonalds, Proctor and Gamble GE,
Nike, Coca-Cola? They all make billions annually and have dominant
marketshare. American companies are everywhere.

Facebook and Google are the only two banned that I know of and it's because
they didn't want to follow local regulations.

~~~
nouveaux
Here is a list of websites banned in China:

[https://en.wikipedia.org/wiki/List_of_websites_blocked_in_ma...](https://en.wikipedia.org/wiki/List_of_websites_blocked_in_mainland_China)

------
moreorless
I recall reading somewhere:

In China, you can change the policies, but you can't change the party. In
America, you can change the parties, but you cannot change the policy.

------
AtomicOrbital
Clearly apps ecosystem badly needs end-to-end encryption which is exclusively
installed and applied by each enduser party not by server side which is easily
circumvented by powers to be ... also to obfuscate who endusers are we also
need a tor router like ecosystem ... until these layers become available
everyone is simply rearranging deck chairs on the Titanic of mass surveillance

------
beaunative
TikTok is a company, and has many competitors, there would not be any issue
for anyone to develop a tiktok copycat. Why should it be banned under a free
market? Plenty of silicon valley leadership have their political allegiance.
Why would that be a problem for the users?

------
DarthGhandi
So nothing really surprising, shame he didn't go into the encryption lib but
I'd guess it's something boring and normal.

~~~
K0nserv
From what I have found(on iOS) they have some homgrown stuff with AES128 and a
fixed key "yu __ __ __ __ __*ods "

------
kanox
TL;DR: nothing

I would be shocked to see solid proof that tiktok is substantially more
intrusive than snapchat or instagram. Data collection should be limited at the
OS level anyway.

The only crime of tiktok is being chinese.

------
perrohunter
So TikTok is not GDPR compliant?

~~~
FooBarWidget
Not necessarily. Tiktok could sign a Data Processing Agreement with whatever
US cloud they host their stuff on.

~~~
sjmulder
That doesn't cover collecting the data in the first place.

------
seemslegit
tldr;
[https://www.youtube.com/watch?v=UVgbFttx-6I](https://www.youtube.com/watch?v=UVgbFttx-6I)

------
gthtjtkt
This is an extremely simplistic analysis and he even admits he only spent 3
hours doing it. He analyzed a single network call.

~~~
GaryNumanVevo
I'm looking forward to your extremely non-simplistic follow up post then!

~~~
gthtjtkt
So you think examining a single network activity is a thorough analysis of an
application with millions of lines of code?

~~~
GaryNumanVevo
I know nothing about android application development

