At what point do Google and Apple consider banning the app? To be honest I’m surprised (and disappointed) that an iOS app that does that much spying was approved, especially the clipboard thing. That shouldn’t have passed app review IMO.
Yet, the rest of the content on Tiktok is very low threat. No chat, no personal health forums, no private photos. It’s mostly a consumption platform with very little input from the users besides those listed in the linked thread (I don’t find that data particularly scary vs what we’ve accepted as normal in the internet).
What’s scary about tiktok is how addictive it is and how it is very much engineered and optimized to be so. Some in the new world are fine with this, I am not.
"For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare."
This is truly scary.
"People need to understand the timelines these people plan for."
On remote security problems, check this recent facebook SDK issue - https://github.com/facebook/facebook-ios-sdk/issues/1374
I think snapchat also tries to detect whether you are trying to snoop in. There are many "privacy" focused app who employ those techniques. Not that I trust tiktok to do it for privacy reasons but they are not alone.
Why should I trust zimperium with their automated reports without an explanation of what they are checking. The link to report ask me about my phone number, email, name, and what not. Seems ironic.
I stopped reading through the other link which points to nowhere now (someone put a gdrive link in the comments). Why censor the code or is that just dummy code to make it spicy?
I would avoid tiktok like I did before but don't blind yourself about other popular non chinese apps.
I am also curious about the reason for adding a way to unzip and execute binaries.
> There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary.
That sure looks malicious to me.
EDIT: Ditto for the active evasion.
> For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent
I thought that was the reason why Termux wouldn't work anymore.
I can't say anything about the second statement without knowing op's background.
Is that a security problem?
The facebook SDK shares a lot of information on startup that the OP in the comment points tiktok of doing.
What's surprising for me is the claim that the behavior of the app changes if it detects someone is inspecting it. This seems a bit handwavey to me and would like a more detailed explanation if anyone has one.
At this point, I think for me the bars for me are:
Don't upload content that I haven't explicitly posted to your servers. This can come in various forms:
- Assuming you gave an app access to your album because you wanted to post something from there. How do you know it's not simply uploading all your photos and videos silently in the background?
- Microphone data: Again you let an app record some video and thereby give mic access to it, a malicious actor can then snoop in and listen to your conversation whenever they want.
These criticisms apply to both iOS and Android although iOS is a little better in terms of how background services work. Don't do mobile-dev as a profession, so I'd appreciate it if anyone could correct me if the OS does enforce some sort of protections here.
I know I've folded unknowingly, adding all sorts of extra tracking including behaviour tracking to my startup's web app and looking back now I believe it's one of the reasons we ultimately failed because we broke trust with our users.
Protip: comply to your manager and when it’s rolled out give an anonymous tip to privacy watchdogs.
Stop giving away your data.
Is it just a decision of whether I want to give my data to the American government or the Chinese government?
iOS dev here. Facebook does the same with their SDK which is included in basically every iOS app. Google does the same with the Firebase SDK which is also included in every app. There are also tons of other SaaS companies offering their own plug-and-play analytics SDKs, of which marketing managers are eager to shove down the engineers throats as many as possible. It’s not uncommon for a single app to host 6-7 different analytics SDKs from various vendors. And this is on iOS, the supposedly “privacy conscious” platform. On Android it’s total Wild West...
> For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare.
Classical example of "do you have the power to let go of power?"