What exactly about the tiktok app makes it Chinese spyware? Has it been proven it can do something?


What exactly about the tiktok app makes it Chinese spyware? Has it been proven it can do something?

In: 4544

It’s not in a great spot, I’ll put it that way.

To start off, the Chinese government has a habit and history of having back doors into a lot of products made by companies that have their home there. For example, Huawei, a company known for phones and servers was ~~discovered a a few years back to have been putting gov. back doors into server chips used by American companies.~~ Under heavy suspicion by American companies and others for having backdoor in their systems after various security flaws were found.

On top of that, most analysis of the app itself have set off quite a few red flags, such as requiring way more security permissions than it should need, their Terms of Service requiring you to allow them to “build a full profile,” on you including who you interact with and every bit of info about you, and IIRC was found to be uploading keystrokes or copied clipboard data at frequent intervals, which is a great way to get someone’s passwords and/or other sensitive data.

So we’re at the point of “it’s doing a lot of weird shit that it shouldn’t be, but we can’t *prove* it’s doing anything malicious with it… yet.”

EDIT: Because I’m seeing it here **a lot** I’m going to clear this up. No, this is not the same thing as Google, Instagram, Facebook, etc. in the US. Here in the US (and most western countries) we not only have privacy laws that protect us from certain breaches, but more importantly the government and company are two separate entities, and are even frequently at each-other’s throats. While all those companies certainly collect data, they are *not* responsible for handing it directly to their government outside of official process such as warrants and subpoenas. In China it’s the opposite, companies over a certain size are required to by law to allow the government to access and have direct control over large sections of the companies operations. The problem worsens when we remember that China isn’t really the best of friends with a lot of western nations, and giving *them specifically* control over what large numbers of western people (especially youth) see and interact with is not great for national security. Should you still always keep privacy in mind with the western companies? Absolutely, but the two issues are worlds apart.

Edit 2: Cool that so many of you have opinions and thoughts on this. Got a little distracted by all of them and the pasta I was cooking now has the consistency of oatmeal 😅. Great having all the discussion, but getting lots of notifications still, so I’m going to mute notifications on this thread. Ttyl

Tiktok collects as much data as they can about their users, their habits, location, interests, some people say they can also activate your microphone while using the app, they can track you across websites and there’s evidence that they inject tracking code if you visit a link from their app.

Then there’s the algorithm that suggests new content. Since so many young people spend so much time on the app it’s easy for China to sway public opinion by pushing content that aligns with their goals.

This is nothing new, other social media platforms do this too, but for the US and its allies it’s a huge risk when it’s rival major power doing it.

By default a lot of apps can collect a lot of information with your specific permission by the user agreement, and not by your specific permission by sucking other data off your phone. People who use TikTok are sharing at least some of their personal information with the app, but along with locational data and your face etc it can easily be stored and analyzed. Are they after YOU? Probably not. But what if it’s someone of influence or a family member of someone of influence – perhaps a company executive, or a government official, or military folks. Are they tracking your travel? Your conversations? Is the app “listening” to sound in an ambient environment, like what Alexa does? What else does someone do on their phone that the app can access?

These are the kinds of real or potential red flags that people are concerned about.

That’s not the concern, not really.

There’s three concerns:

1. TikTok is known to do some relatively aggressive user data collection. Lots of other apps also do this. On its own, not great, but not uniquely bad either.
2. TikTok is known to be able to make its data available to the Chinese government. China has laws that require any Chinese national to turn over any trade secrets to the government if the government asks. This is also what’s driving most of the semiconductor industry out of China.
3. TikTok isn’t available in China, but the same developer has a very similar app which is only available in China. It’s never a great sign when a country exports a product they make illegal domestically.

Taken together, the concern is that China can use TikTok as a pretty powerful influence campaign tool. They can figure out what users it wants to target. They have access to a per-user algorithm through which to target those people. There’s little risk of the app targeting their own people because they’ve banned the app internally.

There’s two main concerns about how it might be used:

1. Targeting of Chinese expats to either turn them against Chinese interests, such as Taiwan. Witness the church shooting about 2 miles from my house where a ~~Chinese expat~~ *Taiwanese expat* attacked a Taiwanese congregation because he was angry about the lack of reunification between the two countries. China could use TikTok as a radicalization pipeline given the 3 above items.
2. Targeting of the general public for influence campaigns. We know that at least some of the conservative anti-mask/anti-vax campaign originated by Russian intelligence services, that the GOP unwittingly bought into. This shows the potential damage that social media driven influence campaigns can do, especially if it results in hundreds of thousands of deaths. Brexit may have been driven by an influence campaign. We just learned the other day that the head FBI counterterrorism agent in the NY office was involved in an influence campaign to affect the outcome of the 2016 presidential election.

Influence campaigns are no joke, and the US works closely with social media companies to combat them (or, at least they used to with Twitter – pretty sure that’s completely busted now). Having a social media outlet like TikTok that is not responsive to US intelligence concerns is a problem.

[Correction] I originally wrote ‘Chinese expat’ as struck out above, when the individual was a Taiwanese expat. As I was writing the comment I searched and [read this article](https://www.thedailybeast.com/laguna-woods-gunman-identified-as-david-chou-of-las-vegas) which incorrectly labeled Chou as a Chinese national. Replies corrected me and asked that I correct this post.

This is from u/bangorlol, here’s a [link](https://www.reddit.com/r/videos/comments/fxgi06/comment/fmuko1m/?utm_source=share&utm_medium=web2x&context=3) to the comment itself where the use has hyperlinks to citations.

So I can personally weigh in on this. I reverse-engineered the app, and feel confident in stating that I have a very strong understanding for how the app operates (or at least operated as of a few months ago).

TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it.Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)

Everything network-related (ip, local ip, router mac, your mac, wifi access point name)Whether or not you’re rooted/jailbroken

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC

They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

The scariest part of all of this is that much of the logging they’re doing is remotely configurable, and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing. There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.

They provide users with a taste of “virality” to entice them to stay on the platform. Your first TikTok post will likely garner quite a bit of likes, regardless of how good it is.. assuming you get past the initial moderation queue if thats still a thing. Most users end up chasing the dragon. Oh, there’s also a ton of creepy old men who have direct access to children on the app, and I’ve personally seen (and reported) some really suspect stuff. 40-50 year old men getting 8-10 year old girls to do “duets” with them with sexually suggestive songs. Those videos are posted publicly. TikTok has direct messaging functionality.

Here’s the thing though.. they don’t want you to know how much information they’re collecting on you, and the security implications of all of that data in one place, en masse, are fucking huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can’t see what they’re doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.

For what it’s worth I’ve reversed the Instagram, Facebook, Reddit, and Twitter apps. They don’t collect anywhere near the same amount of data that TikTok does, and they sure as hell aren’t outright trying to hide exactly whats being sent like TikTok is. It’s like comparing a cup of water to the ocean – they just don’t compare.

tl;dr; I’m a nerd who figures out how apps work for a job. Calling it an advertising platform is an understatement. TikTok is essentially malware that is targeting children. Don’t use TikTok. Don’t let your friends and family use it.