TikTok Reverse Engineering Highlights Massive Privacy Problems

The findings highlight the shortcomings of existing application design and the need for decentralized data storage solutions that put users back in control. The use of TikTok’s user data goes far and beyond what other social applications like Facebook or Twitter do. In fact, some speculate that the platform is actually Chinese government spyware [Forbes].

What’s Wrong With TikTok?

For those unaware, TikTok is a video-sharing application that is owned by Beijing-based ByteDance. The platform has exploded in popularity since its international debut in January 2018. TikTok users upload short videos of themselves completing “challenges” such as lip-syncing or comedic content or songs. The appeal, apparently, is that the video may “go viral,” and users, for the briefest moment, will taste internet stardom. However, the application has been at the center of plenty of controversies, most notably for privacy concerns. The most recent allegations come from an individual claiming to have reverse-engineered the application, uncovering some dark secrets in the process. In a lengthy Reddit post from April, user Bangorlol reveals the shady inner workings of TikTok. Bangorlol writes:

“TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device, well, they’re using it.”

The post goes on to detail some of the data the application is gathering on its users. This includes phone hardware data (number, handset model, screen dimensions, memory usage, amongst others). It also collects data on which other applications are installed on the device, including those previously deleted; network details (IP, local IP, access point names, and also GPS data). And if that weren’t enough, it even determines if the phone is rooted or jailbroken.

A Security Nightmare

The post’s author goes on to explain that the application makes it incredibly difficult to block any of these data leaks. Apparently it even changes behavior when it appears that a user is trying to work out exactly how the software functions. All analytics requests are encrypted, and the company reportedly changes the algorithm with each update. The app also stops working if you block communication with the analytics host at the DNS-level. Perhaps most concerning is that the Android version of TikTok reportedly includes code that can force the download, unzipping, and running of a remote zip file. The Redditor writes:

“There is zero reason a mobile app would need this functionality legitimately.”

The individual behind the reverse engineer admits that the study was undertaken a few months ago, and some details may be out of date. Bangorlol was also unable to provide substantial evidence due to reported computer hardware issues. However, they have stated that they are working on a site/blog dedicated to exposing TikTok’s privacy issues.

The List of Privacy Concerns About TikTok Grows

The recent reverse engineering efforts are part of a growing list of privacy concerns for the emerging social media platform. BeInCrypto reported that the application’s owner was pivoting towards blockchain technology at the beginning of 2020. The move would apparently address some data security issues. However, despite this shift in focus, the controversies continue to pile up. Researchers Talal Haj Bakry and Tommy Mysk identified several security flaws on iOS devices in February that TikTok may have been exploiting [Forbes]. The vulnerability allows applications to read text that a user copies on their iPhone and also from their Mac. Given that many users will copy potentially-sensitive information from a Mac, the vulnerability represents a significant security risk. Apple initially denied that this was an issue but has since rushed to patch a prompt that pops up to notify the user that an application is looking at their clipboard. The feature is only available on iOS 14, due out in autumn 2020.

Nefarious Engineering

However, developers already have access to the update and have noticed that TikTok actually takes data from the users’ clipboard at an alarming rate. In a demonstration video posted to Twitter on June 24, UK-based entrepreneur Jeremy Burge shows that the application actually takes snapshots of the clipboard after a user enters just a single character on their device: https://twitter.com/jeremyburge/status/1275832600146391042?s=20 Shockingly, it even happens when typing on non-TikTok applications. Adding more suspicion to the saga is the fact that ByteDance initially told Forbes that the clipboard issue was related to an outdated Google advertising SDK. They further claimed that it would stop after April. However, the revelation continues to impact Apple users to this day. TikTok also continues to shift the goalposts on the story. The company now claims that the issue is part of an anti-spam feature and that it will submit an updated version of the application without this ‘feature.’ Zak Doffman, Forbes writer explains:

“In other words: We’ve been caught doing something we shouldn’t, we’ve rushed out a fix.”

TikTok’s High Profile Attention

Even before Mysk, Bakry, and Bangorlol’s work, there were serious privacy concerns about TikTok. Late last year and earlier this year, a series of U.S. government agencies banned any employees from having the software on their government devices. Last October, Senator Marco Rubio requested that the Trump administration investigate the application for evidence of Chinese censorship related to politically sensitive information. Similarly, Sens. Chuck Schumer and Tom Cotton asked that the app be scrutinized in the interests of national security. Later, in November, the U.S. Senate invited high profile technology companies to discuss data security at a hearing. TikTok declined to send a representative. Since then, numerous U.S. organizations have banned or advised against using TikTok. These include the navy, army, air force, coast guard, marine corps, Department of Homeland Security, and the Transportation Security Administration [Business Insider].

Can Decentralization Provide A Better Way?

TikTok is by no means the only application that has a questionable track record of protecting users’ data. Critics have accused the company of malicious intent, however, TikTok is clearly not the only centralized data-gathering company out there. With blockchain and smart contract technology ushering in the possibility of truly decentralized applications, perhaps there is hope. Future apps may work without relying on massive user data caches that can be exploited [Enigma]. Digital identity platforms, similar to those that Microsoft and others are working on, seek to put users back in control of their personal data. The idea is that individuals will no longer need to trust a centralized data carrier to act responsibly. Users themselves will choose what to share. They’ll also have the ability to revoke access to information instantly. Systems, like Microsoft’s ION, which is based on the Bitcoin blockchain, are mostly still in development. However, if successful and widely adopted, they could see online service providers dramatically shift the way they do business. This new model should better protect the interests of users.