China-based TikTok has been under immense pressure lately due to a string of privacy issues. It isn’t just that the social network is massively popular — over 800 million monthly active users, making it the biggest social media app in the world — or the fact that it has a disproportionate appeal to a younger demographic slant, including a large number of underage users.
At the back of all the concern is the fact that parent company ByteDance is headquartered in Beijing, and that the laws of China allow the government access to any personal information a Chinese company might be collecting at any time. The connection between the popular social app and the CCP has been mostly speculative to this point, however; there is widespread concern about potential compromise, to the point that government agencies such as the United States Department of Homeland Security and the TSA have preemptively banned it from work devices for national security reasons, but there has yet to be a concrete connection to the Chinese government.
One of the more popular branches of the Anonymous hacking collective believes that “smoking gun” has finally been found. The group’s Twitter account has promoted a Reddit post by a security researcher who claims to have reverse engineered the social networking app and found that it is quietly vacuuming up every bit of personal information that it can access, far beyond the scope of what users should be expecting it to collect.
The latest claims against TikTok
Before cataloging the potential privacy issues, it is important to note that they have been raised by an anonymous Reddit user by the handle of “bangorlol” whose work was amplified by a capital-A Anonymous Twitter account that has over six million followers. The poster’s identity is unknown, but they have a seven-year history of posting on Reddit in various tech and cybersecurity forums. In an interview with Bored Panda, bangorlol also claimed to have been working in the reverse engineering of apps in a professional capacity for a tech company for several years.
These specific privacy issues have yet to be verified by a reputable known security research firm; a difficult task given TikTok would need to be completely reverse engineered in the same way. However, at least some of bangorlol’s claims are substantiated by prior research by firms such as Penetrum and Zimperium. Additionally, on July 2 bangorlol created the subreddit “tiktok_reversing” in response to the Anonymous Twitter account picking up his story. In this subreddit bangorlol promises to gradually roll out data about the privacy issues that can be verified by independent security researchers.
If this work can be verified, the list of privacy issues and the amount of data that could be compromised is staggering. Bangorlol characterized it as being more of a data collection service than a social network. The researcher contends that TikTok captures detailed device hardware information, network information, lists of apps you have installed, and whether or not the device has been jailbroken. TikTok also apparently sets up a local proxy server on devices with no authentication (purportedly for “transcoding media”), and some versions of the app use GPS pinging for user tracking about once every 30 seconds. And bangorlol reports finding some code that would allow the app to download, unpack and execute the contents of a remote .zip file in the background.
Analytics requests from the app also appear to be encrypted with a key that shifts regularly so that end users have no visibility into what information is being requested. And if the end user manually blocks the analytics host at the DNS level, the app ceases to function entirely. In the interview with Bored Panda, bangorlol indicated that the app uses a variety of other “sneaky tricks” to hide what it is doing from prying eyes including using a custom fork of the Obfuscator-LLVM security suite and applying techniques to deter debuggers.
Bangorlol also indicates that on top of all of these privacy issues, the TikTok app may have had previously unknown security issues. It appears that it was using an HTTP API for a long time that could have potentially leaked user emails, full names and birthdates in plain text to any “man in the middle” on an internet connection.
Massive potential privacy issues
The combination of abilities that bangorlol asserts TikTok has could be used to capture nearly every piece of data stored on or passing through a remote device, given that it has the capability to execute remote code in the background. The attacker would need to run other exploits against the device to get this sort of access, but the fact that it has lists of installed apps, hardware and network details would allow them to quickly identify and exploit known vulnerabilities. Among other things, an attacker could transfer files off the device, log keystrokes, capture text messages and phone calls, or add the device to a botnet.
While mass exploitation of TikTok users seems unlikely due to the attention it could draw, some security analysts believe that these capabilities might be selectively leveraged against specific persons of interest. Political dissidents in China and persecuted Uyghurs are examples of potential targets.
With concerns about privacy issues and security implications mounting long before bangalor published his post, TikTok committed in March to set up a “transparency center” in Los Angeles. The company had indicated that it would eventually “provide insights” into the app’s source code, according to a Reuters report. TikTok had indicated that this center would open sometime in May, but the announcement was made just before the widespread international coronavirus lockdowns in March and it does not appear that any forward progress has been made since.