I’m putting this here because it’s all wrapped up the political mess that is Shitgibbon.
Nice, with any luck that would be the death knell for TikTok.
I’m not seing the play for Microsoft. Wonder what Satya sees?
It’s a reverse phsycology ploy by facebook so that it will get Mixered in a year and shut down.
Nor am I. That is, even if well running, a political nightmare move and one riding on the growing consensus that TikTok is UNSAFE FOR USE. Microsoft buying them doesn’t suddenly make all of that better. In fact is speaks to Microsoft wanting to gleam the same user info that TikTok was already grabbing prior to this.
I have no idea what is going on. The buzz is $30 billion?!?!?!?!?!?!?!??!
It makes no sense!
I can’t find anyone else who sees a connection. Instead, it’s all along the lines of this…
What user info btw? Anything you can’t do on instagram right now?
Some info from one of many findings (scroll down and click on tiktok specifically):
TikTok in itself is a security risk due to the following reasons;
- Webview, and remote webview enabled by default
- Application appears to take commands over text and receives them piping them
directly into Java as an OS command
- The application that uses Java reflection while decreasing VM load time can also
be taken advantage of by malicious users and has a CVE score of 8.8
- This application has been observed to log sensitive information such as;
- Device information
- User GEOlocation
- Monitors user activity
So I can personally weigh in on this. I reverse-engineered the app, and feel confident in stating that I have a very strong understanding for how the app operates (or at least operated as of a few months ago).
TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it.
Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload - maybe using as cached value?)
Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
Whether or not you’re rooted/jailbroken
Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC
They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication
The scariest part of all of this is that much of the logging they’re doing is remotely configurable, and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing. There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.
On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.
They provide users with a taste of “virality” to entice them to stay on the platform. Your first TikTok post will likely garner quite a bit of likes, regardless of how good it is… assuming you get past the initial moderation queue if thats still a thing. Most users end up chasing the dragon. Oh, there’s also a ton of creepy old men who have direct access to children on the app, and I’ve personally seen (and reported) some really suspect stuff. 40-50 year old men getting 8-10 year old girls to do “duets” with them with sexually suggestive songs. Those videos are posted publicly. TikTok has direct messaging functionality.
Here’s the thing though… they don’t want you to know how much information they’re collecting on you, and the security implications of all of that data in one place, en masse, are fucking huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can’t see what they’re doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.
For what it’s worth I’ve reversed the Instagram, Facebook, Reddit, and Twitter apps. They don’t collect anywhere near the same amount of data that TikTok does, and they sure as hell aren’t outright trying to hide exactly whats being sent like TikTok is. It’s like comparing a cup of water to the ocean - they just don’t compare.
This part is creepy! I would be interested to see an analysis on what specific data is collected compared to Instagram thought. Is it just a fear that the government will force it to take video or whatever while the phone is “off”, the same thing the NSA does?
The reddit person linked to several other reasearcher findings but it sure sounds like that was just the start of people reporting what they saw. There might be more info out now.
It reporting data and passing stuff back to tiktok when you used other applications was creepy as well. If it set up a proxy on the device, imagine you taking a picture and a copy going to tiktok. Or other files as well.
There was a disturbing story on reddit which indicated there were predators after low teens and pre-teens via tiktok. When i was kid the girls who were my peers didnt wear skimpy clothes and do slutty dances to an audience of millions. I’d complain to their mothers, but they have a tiktok and an onlyfans account and dont care. Tiktok seems an unregulated, uncontrolled wild west of mass sexualisation of minors.
20 minutes after he read my post, no doubt.
/looks around suspiciously
Fixed that for you.
Very glad that Conservative DJT is doing the Conservative thing here. He will no doubt be very strongly and powerfully backed by the Very Serious Conservatives in congress.
Mainly distraction, and maybe DJT is pissed about kids helping to embarrass his worthless ass at his Tulsa COVID rally. It’s all just noise.
Yeah, the general consensus from legal twitter is “LOLrite” to this.
Someone on Twitter pointed out that 4 million 17-year-olds will be 18 in time to vote, so this was a great idea by Don.
I’ve seen this analysis among my techy friends on Facebook also. This is really hard dilemma, Sarah Coopers Trump tick toks are brilliant, I know Trump is doing this for all the wrong reasons, but maybe banning TikTok is a actually a good idea.