By Gurvinder P.Singh, The CyberChef
I had been following the TikTokstory for a while, and I was wondering why people are so hooked on to this video-sharing social media app. For a while, I got hooked into the temptations of watching somewhat stupid, but at times, very creative videos. The attraction was short-lived once I started observing the weird behaviour of the app. As a cybersecurity professional, I found it very pervasive and started digging deeper into the technical and political aspect of the app and the owner company ByteDance (https://www.bytedance.com). ByteDance, a Chinese company headquartered in Beijing worth over $100 billion, was founded in 2012. The company owns several products, including TikTok, Helo, and Resso, as well as platforms specific to the China market, including Toutiao, Douyin, and Xigua. ByteDance’s investors include Coatue, General Atlantic, KKR, Sequoia Capital, SIG, and Softbank.
In this article, I will not only be dealing with the technical security issues but will also touch upon the geopolitical side of the TikTok story.
In my review of several open-source content, whitepapers, security vulnerabilities and TikTok’s privacy policyI can safely conclude that the parent company’s relationship with the Chinese government can’t be ignored especially in light of China’s national intelligence law in 2017. Various news platforms such as “south china morning post” is reporting on the communist party’s interference in private enterprises. The reporter notes “China’s large privately-owned firms are becoming more like state-owned enterprises, as many in recent years have implanted in their businesses cells of the Communist Party, the Communism Youth League and even discipline inspection committees.
Since last few months, various countries and their politicians have been calling for greater scrutiny of the company’s data collection and possible Chinese censorship. The Indian government made a political statement by banning TikTok, along with over 50 other Chinese apps in response to their border standoff with China in Ladakh (a disputed northern province of the state of Jammu & Kashmir) siting the app as a cybersecurity risk. In the wake of heightened US-China standoff, the US government is also considering whether they should also impose a ban on the app. Various private enterprises have also advised their employees to remove the app from their work phones due to ‘security risks’.
So, what is wrong with this app?
Data Collection
You must have heard the quote from Clive Humby, UK Mathematician and entrepreneur in the field of data science who coined the phrase “data is the new oil” in 2006. Like any other social media company, TikTok also collects a ton of valuable personal data, which includes but not limited to your:
- Registration Information, such as age, username and password, language, and email or phone number
- Profile information, such as name, social media account information, and profile image
- User-generated content, including comments, photographs, videos, and virtual item videos that you choose to upload or broadcast on the platform (“User Content”)
- Payment information, such as PayPal or other third-party payment information (where required for payments)
In addition to the above, they also collect device, network and communication information such as
- IP address
- Browsing history (i.e., the content you viewed on TikTok)
- Mobile carrier
- Location data if you are using a mobile device (including GPS coordinates and WiFi and mobile cell data)
- Info on the device you used to access TikTok(for Android devices, this includes your IMEI number, which is essentially your device’s fingerprint so it can be identified, and potentially your IMSI number, which is used to track users from one phone to another)
To open an account in TikTok, users must provide a phone number or email and the date of birth. TikTok asks user permission for access to their social media accounts after registration. For example, Twitter, Instagram, Facebook, etc. and user’s contact list, and location data. As soon as the user starts using the app, TikTok logs details about:
- Every video you upload
- How long you watch videos
- Which videos you like
- Which videos you share
- Any message you exchange in the app
If you buy coins(in-app currency), to support your favourite video creators, TikTok will store your payment information.
Based on TikTok’s privacy policy, the data collection seems extreme. It looks the idea of such a massive data collection is not only to serve users with targeted ads but beyond the stated purpose of targeted advertising.
Does TikTok share data with the Chinese govt?
TikTok alludes that the service is not available in China and the user data is not stored in China. TikTok’s position looks misleading. The privacy policy states “We may also share your information with other members, subsidiaries, or affiliates of our corporate group, to provide the Platform including improving and optimising the Platform, preventing illegal use and supporting users.”
A cybersecurity research firm Penetrum noted in its research whitepaperon TikTok that over one-third of the IP addresses the TikTok APK connects to are based in China. Alibaba, another Chinese tech giant host the majority of these IP addresses. The whitepaper also points out that the IP address led to the allegations in the lawsuit that TikTok sends data to China. Penetrum report noted that “TikTok does an excessive amount of tracking on its users and that the data collected is partially, if not fully, stored on Chinese servers with the ISP Alibaba.”
TikTok Reverse Engineering: Is it secure?
A couple of months back Bangorlol (u/bangorlol), a freelance application reverse engineer claims on Reddit that he has successfully reverse-engineered and shared what he learnt about the TikTok app. In principle, he strongly advocated that people never use the app warning about its intrusive user tracking and other issues. He notes that “TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it.”
Some of his critical observations are consistent with the research conducted by Penetrum. He found that the app is collecting the following data.
- Phone hardware (CPU type, number of cores, hardware ids, screen dimensions, dpi, memory usage, disk space, etc.)
- Other apps you have installed (even the deleted app information shows up in the payload)
- Everything network-related (IP, local IP, router mac, your mac, WiFi access point name)
- Whether or not the device rooted/jailbroken
- GPS pinging enabled roughly once every 30 seconds -enabled by default
- TikTok, sets up a local proxy server on your device for “transcoding media”. Due to its zero authentication, the user device is vulnerable to abuse.
Bangorlol goes further explaining that the app wasn’t even using HTTPS and was leaking users’ email addresses in their HTTP REST API. It was also exposing the secondary emails used for password resets along with users’ real names and date of births.
The “virality” aspect of the user-posted videos and their urge to become famous drives the extensive use of TikTok. Your first-ever posted video will receive many likes which are automatically associated with the video and if the videos become popular are quickly moderated. I have also noted that the direct messaging capability of the TikTok allowsyou to message to the creator directly. Various researchers, including from Penetrum and Bangorlol that children may be sexually groomed on the platform. Bangorlol goes on strongly advocating the case against using the platform. He says “TikTok is essentially a malware that is targeting children. Don’t use TikTok. Don’t let your friends and family use it.”
Conclusion
The research is indicating that the user data being collected by the platform is far and beyond a social media platform would need to provide customised user experience and targeted advertising. Such a pervasive collection of data exposes us to various online security threats including identity theft, compromised privacy, censorship etc. From the security and privacy perspective, TikTok poses an extreme risk. Even if ignoring the geopolitical rhetoric against China, you should consider getting off the platform if the above is your concern.