TikTok in the eye of major storm - and it's worrying

A software engineer who is active on Reddit forums is said to have reverse-engineered the popular video sharing Chinese app, TikTok, and if the claims made by him are indeed true then most of you who have it on your phone would delete it forthwith.   

The Reddit user Bangorlol went and reverse-engineered TikTok to see what makes it tick among the users --- TikTok, for the record, has seen over 2 billion downloads.

And he said "...(F)eel confident in stating that I have a very strong understanding for how the app operates (or at least operated as of a few months ago)." 

It's a data collection service! 

“TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it," Bangorlol said direly.

As per his research, TikTok collects more data than he has ever seen an app collect on its users, including CPU type, your phone number, hardware IDS, screen dimensions, DPI, memory usage and disk space. "And we haven’t even gotten to personal information and location tracking yet." 

It may even track “(o)ther apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?).” It even tracks network info, including your IP, local IP, router mac number, your mac number, and even the wifi access point name.

TikTok is essentially malware that is targeting children. Don't use TikTok.

Bongorlol

Very disturbing findings

Even more disturbing according to the analysis was that the logging activity is configured remotely, which makes reverse engineering and trying to figure out what it is up to harder to determine. 

“Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post-IIRC.” If it is true, it is one of the most intrusive location-tracking tactics. Luckily, most newer models of both iOS and Android phones allow you to turn off location tracking in apps completely, and it will prompt you to give consent when opening the app for the first time. 

Bangorlol, who has 15 years of software engineering experience, basically recommended that people stop using TikTok, and definitely refrain from allowing  their children to use the app, following his findings. 

Bangorlol alleges that reverse engineering other popular social media apps like Facebook, Instagram and Twitter didn't find nearly as much data collection going on -- there was absolutely no comparison.

He concludes his findings: "tl;dr; I'm a nerd who figures out how apps work for a job. Calling it an advertising platform is an understatement. TikTok is essentially malware that is targeting children. Don't use TikTok. Don't let your friends and family use it."

He knows what he's talking about

Bangorlol is not a novice. “The last several years of my career has been based around reversing mobile applications, analyzing how they work, and building additional third-party functionality around them,” he told Bored Panda

As per the report, TikTo tried to stop Bangorlol on his tracks. “TikTok put a lot of effort into preventing people like me from figuring out how their app works. There’s a ton of obfuscation involved at all levels of the application, from your standard Android variable renaming grossness to them (bytedance) forking and customizing ollvm for their native stuff. They hide functions, prevent debuggers from attaching, and employ quite a few sneaky tricks to make things difficult. Honestly, it’s more complicated and annoying than most games I’ve targeted,” Bangorlol was quoted as saying.

TikTok, owned by the Chinese company ByteDance, is growing at a fast clip. The holding company made a net profit of $3 billion last year. And this is not the first controversy that TikTok finds itself in. Recently TikTok was caught spying on iPhone users in India and around the world. The social media platform was found copying text from a user’s clipboard every few seconds, effectively logging their keystrokes without their knowledge.

Source: Reddit



Comments