Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Not new news, but tbh if you have tiktiok, just get rid of it – videos (reddit.com)
109 points by mrfusion 7 days ago | hide | favorite | 34 comments






Suggested title: reverse engineering TikTok to see how much data it collects.

At what point do Google and Apple consider banning the app? To be honest I’m surprised (and disappointed) that an iOS app that does that much spying was approved, especially the clipboard thing. That shouldn’t have passed app review IMO.


Apple risks damage to their brand by not allowing it. It's the same reason why they politely ask Uber and Facebook to fix serious bugs in their apps, rather than removing them with no comment, as they've proven to do with small iOS devs.

you think they would dare upset the CCP?

These seem like standard things any analytics tracker (including GA) tracks, check out amiunique [1] for a set of things that can be tracked using your favorite secure browser.

Yet, the rest of the content on Tiktok is very low threat. No chat, no personal health forums, no private photos. It’s mostly a consumption platform with very little input from the users besides those listed in the linked thread (I don’t find that data particularly scary vs what we’ve accepted as normal in the internet).

What’s scary about tiktok is how addictive it is and how it is very much engineered and optimized to be so. Some in the new world are fine with this, I am not.

[1] https://amiunique.org/


From the comment:

"For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare."


Sure, very shady. My point is, I’d be much more concerned about a WeChat that has your conversations, transaction history, etc than a non-topical video feed (e.g unlike YouTube people don’t really look for STD/mental-health videos on tiktok, and things that reveal a lot about a user).

"TikTok is a government tool by the Chinese communist government to mine information from future leaders and blackmail them."

This is truly scary.

"People need to understand the timelines these people plan for."


Most analytics trackers don't have code to extract and execute the contents of a zip file.

I looked through the comments to see if someone could provide me steps or evidence of what they did than just telling me about what they found. I have no doubt tiktok is nefarious but most of the things are done by other players with some security problems mixed in.

On remote security problems, check this recent facebook SDK issue - https://github.com/facebook/facebook-ios-sdk/issues/1374

I think snapchat also tries to detect whether you are trying to snoop in. There are many "privacy" focused app who employ those techniques. Not that I trust tiktok to do it for privacy reasons but they are not alone.

Why should I trust zimperium with their automated reports without an explanation of what they are checking. The link to report ask me about my phone number, email, name, and what not. Seems ironic.

I stopped reading through the other link which points to nowhere now (someone put a gdrive link in the comments). Why censor the code or is that just dummy code to make it spicy?

I would avoid tiktok like I did before but don't blind yourself about other popular non chinese apps.

I am also curious about the reason for adding a way to unzip and execute binaries.


Backdoors are "bad security practices rather than looking malicious"?

> There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary.

That sure looks malicious to me.

EDIT: Ditto for the active evasion.

> For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent


Yeah that one seems bad. Although isn't android cracking down on the functionality?

I thought that was the reason why Termux wouldn't work anymore.

https://github.com/termux/termux-packages/wiki/Termux-and-An...

I can't say anything about the second statement without knowing op's background.


> Also on security problems, check this recent facebook SDK issue - https://github.com/facebook/facebook-ios-sdk/issues/1374

Is that a security problem?


I think it is. Facebook remotely crashed all their apps. The SDK depends on the information from the server on startup.

The facebook SDK shares a lot of information on startup that the OP in the comment points tiktok of doing.

https://github.com/facebook/facebook-ios-sdk/issues/1374#iss...


Theoretically it could crash at startup and not share much info (just IP address of the user).

Remote telemetry configuration and collecting basically everything they can about the device isn't anything new really. I think mobile apps (especially on Android) have been doing that since the beginning of time.

What's surprising for me is the claim that the behavior of the app changes if it detects someone is inspecting it. This seems a bit handwavey to me and would like a more detailed explanation if anyone has one.

At this point, I think for me the bars for me are:

Don't upload content that I haven't explicitly posted to your servers. This can come in various forms:

- Assuming you gave an app access to your album because you wanted to post something from there. How do you know it's not simply uploading all your photos and videos silently in the background?

- Microphone data: Again you let an app record some video and thereby give mic access to it, a malicious actor can then snoop in and listen to your conversation whenever they want.

These criticisms apply to both iOS and Android although iOS is a little better in terms of how background services work. Don't do mobile-dev as a profession, so I'd appreciate it if anyone could correct me if the OS does enforce some sort of protections here.


How many of us developers would take a principled stand when tasked with implementing features such as these and how many would silently comply?

I know I've folded unknowingly, adding all sorts of extra tracking including behaviour tracking to my startup's web app and looking back now I believe it's one of the reasons we ultimately failed because we broke trust with our users.


>How many of us developers would take a principled stand when tasked with implementing features such as these and how many would silently comply?

Protip: comply to your manager and when it’s rolled out give an anonymous tip to privacy watchdogs.


Woa. Dude games without frontiers. That's some next level shit.

The youtube video says "Video unavailable"

https://www.youtube.com/watch?v=xJlopewioK4


The app is also extremely good at avoiding censorship, which I find highly ironic for a product made in China. I once tried to block TikTok at the DNS level, and I realized that if you block any of their DNS names, the app will start using encrypted DNS over HTTPS via 8.8.8.8 to circumvent your efforts.

it is scarry that most users don't have any clue of what app collects and why it matter. I feel like we are in the dark age of Internet when only few knows how it work and 95% of the population trust them because they don't how it works.

Exactly this. Even in this site, there are tons of questions from tech savvy individuals who don’t understand the data business. The data is farmed and sold to influence your purchase decisions, political preferences, dieting habits, etc. It is also used by third parties to take decisions around the risk on providing you with insurance, your credit worthiness and even legal arguments.

Stop giving away your data.


How different is tiktok compared facebook or any American social networking app/company?

Is it just a decision of whether I want to give my data to the American government or the Chinese government?


>Is it just a decision of whether I want to give my data to the American government or the Chinese government?

iOS dev here. Facebook does the same with their SDK which is included in basically every iOS app. Google does the same with the Firebase SDK which is also included in every app. There are also tons of other SaaS companies offering their own plug-and-play analytics SDKs, of which marketing managers are eager to shove down the engineers throats as many as possible. It’s not uncommon for a single app to host 6-7 different analytics SDKs from various vendors. And this is on iOS, the supposedly “privacy conscious” platform. On Android it’s total Wild West...


Usually I hate to just quote TFA but it's written in the form of an answer to this very question, so:

> For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare.


In the old days you spent more time reverse engineering an app before you make a post or write an article.

[deleted]

Interesting, I had the opposite reaction: isn't it sad that a post with genuinely insightful information and discussion momentum has to be prefixed with "not new news" to head off the inevitable cloud of detractors who argue that a lack of novelty implies that a subject isn't worth attention / discussion / action?

But that is the title.

At this point, what are the odds that the Chinese government isn't involved in tiktok?

every company in china is considered an SOE... state owned enterprise. This is known. There is no chance that the chinese government doesn't have a seat at the table of their equiv of the board of directors. That would contradict how corporations in China are allowed to operate.

It would be absurd if they weren't. The party is involved in every big corp. It would be incompetence to not be involved.

The very same thing that is viewed as a strength ie oversight of everyone and everything is also a weakness in its own right --

Classical example of "do you have the power to let go of power?"




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: