Not just a data miner, it has some crazy capabilities that are malicious even by the standards of social media phone apps, which were already explicitly malicious. If I remember right, it can download custom code to augment its capabilities per-target, and has encryption to attempt to thwart any attempt to analyze it, which are both pretty unusual amounts of effort to spend from the POV of “we just want to gather your advertising data and listen to your microphone all the time” which are pretty standard things.
Yeah it’s been over a decade since I’ve dealt with the Apple App Store. But at the time, when publishing an app, they did all of this review and analysis of your app and they did not allow downloading additional executable code IIRC. Though if you are clever enough, you can get around that.
Ok, so Bytedance does exactly what Microsoft, Google and Apple do. Got it.
All 3 can and do run arbitrary code on their platforms. All three share your data with third parties. All three encrypt stuff in their codebase and especially google tries it’s hardest to break networking standards just to obfuscate what their code is doing.
“There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary.”
Obviously, the app creator can write whatever code they want into the app. If they want to update it, including to run an AB test, they can do a new version.
The only reason for unzipping and executing random binaries on-demand, outside of the normal app update process, is if you want to specifically target one individual or a group of individuals and enable functionality specifically for them that is custom to those particular people. Maybe you just have specific needs for them that aren’t served by the overall process, or maybe what you want to install is secret enough that you don’t want security researchers getting their hands on it. That second one would be consistent with the obfuscation around even the stock behavior of the app.
I am obviously not talking about HTTPS when I say “encryption to thwart any attempt to analyze it.”
If you can find me a large app that doesn’t have that capability then I’d be shocked. This is extremely common behavior for apps, and every piece of software I have ever been employed for has done this. That code is also still sandboxed by iOS and Android and has to go through the same APIs to interact with the OS, unless Pegasus found a way to infiltrate via app payloads.
This is one of those things that sounds really scary if you go into extreme detail and the other party doesn’t have enough experience to realize that it’s normal; like the way republicans talk about “hyper processed foods” and seed oils.
I know you’re not talking about https, which is why I mentioned DRM too. Nintendo encrypts all of their software, which is why they were able to DMCA Switch emulators.
Show me where in the Chrome or Firefox app there is code to download an executable – not a versioned update to the app through the Play Store, but a random chunk of code – and run it.
In iOS, sure, just give me the app source code and… oh wait, the compiled apps from the store are also obfuscated, guess I can’t search the code for you.
On Windows though you can look at what process runs when you click “update and restart” in Firefox or Chrome. Both have an updater service that is just there to run an update exe with admin permissions. Both could be used for the same attack vector you’re afraid of. Every {softwarename}_helper.exe is the same thing.
Chrome on iOS can execute javascript and has a history of vulnerabilities using that code execution, so much so that I even had to use the browser to jailbreak once, so I am not sure what point you’re trying to make other than fear mongering. You also still haven’t addressed the fact that the code execution is still sandboxed. Any app that uses electron can download a zipped bundle of code and run it as well. Also any app with a built-in web browser is allowed to do this
But you can also just look at Bloons TD 6 and their “downloading new content” windows when the game starts.
Let’s also look at the comment from the reddit thread you originally linked.
Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
Yeah that’s pretty normal, even javascript can get that just to render a page. I don’t like that it’s normal, but none-the-less
Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload - maybe using as cached value?)
Yeah this is normal too, and imo a huge issue. On windows there’s even an unprotected API for it. Again, I don’t like it, but it is normal.
Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
Sketchy as hell, I agree, but every app you give local network access to does the same, so we should ban Messenger too.
Whether or not you’re rooted/jailbroken
Every banking app and Pokemon Go do this. This one can be very dangerous if you’re jailbroken.
Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC
Normal for social media. Shitty, but normal. We should just ban this feature
They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication
As does Adobe Premier Pro and Final Cut. Sketchy again, but maybe we should just ban proxying without notifying the user.
Over the last few months, we’ve analyzed top banking apps and top travel apps, related to security and privacy issues. Much like TikTok, some of the results are alarming
Their other source appears to not do anything and gets “suspected phising” warnings on firefox https://penetrum.com/research/
“All apps on iOS are obfuscated, so it’s not important that TikTok on Android takes extra trouble to obfuscate itself in a very weird way which other Android apps generally don’t do.”
“All Windows apps work by downloading new binaries for themselves, because there’s no package management, so it’s not important that TikTok on Android takes extra trouble to bypass the package management and enable downloading custom per-user executables and running them.”
“Some apps have vulnerabilities by accident, so it’s not important that TikTok has a remote code execution vulnerability built in on purpose.”
“Apps have a security model, which by the way can be jailbroken, so it’s not important if something malicious happens within the app. Actually, forget what I said about jailbreaking.”
You haven’t actually addressed anything I said, just threw a whole bunch of words about related topics to make it sound like what I described about this particular topic is, within the scope of this topic, a normal thing. It’s not.
I directly addressed what you said, and your source, and your source’s sources. And after checking your source this entire argument feels like a waste of time because the claim about TikTok is a “trust me bro” from a Reddit comment in a deleted post. I however trust him, because every app can pull and execute JavaScript. Hell I even gave you an example of one that does the exact same thing and is targeted at kids (Bloons). You keep framing what TikTok does as a vulnerability even though it is explicitly allowed by Apple.
If you want to choose to be willfully ignorant to how bad app and data privacy is across the entire App Store then that’s your prerogative.
Caring about this obfuscation is comical and directly leans into my point about laymen getting scared by things every app does. Wait until you hear about denuvo and dynamic obfuscation and the execution capabilities every single video game made since the 90s has.
My point isn’t TikTok good, in fact I have it blocked on my network as well as all of China on a region block; my point is that TikTok is not uniquely bad enough to justify a ban for “security and privacy” while still allowing Meta and Twitter to exist. Meta specifically is worse because Messenger does literally everything that redditor claims TikTok does.
There is a difference in the data gathered and where it goes. But just like the cheap
Source?
losers sealioning to invert the how-do-you-know question hoping people forget the pedigree of the information isn’t the same, it’s easy for people to both-sides data gathering too.
And I say that’s fine. HAVE it so gathered data must go through a Clearinghouse or two (a gov entity eg SeaLandia or an org like fsf) so it’s provably anonymous and then we carry on. To me, this is the result of the discussion we need to have around who gets to spy on you and how we choose that to get benefits at reduced exposure to risk.
Is this a bot response? Where did I mention the US Government buying through a clearing house?
I am not arguing we shouldn’t ban tiktok, I am arguing that they’re not unique and if we’re going to ban them then we should ban Meta too because they are worse. Meta and Twitter have already done the things people are afraid of tiktok maybe doing in the future.
Not just a data miner, it has some crazy capabilities that are malicious even by the standards of social media phone apps, which were already explicitly malicious. If I remember right, it can download custom code to augment its capabilities per-target, and has encryption to attempt to thwart any attempt to analyze it, which are both pretty unusual amounts of effort to spend from the POV of “we just want to gather your advertising data and listen to your microphone all the time” which are pretty standard things.
In a surprisingly Reddit-esque move, Lemmys best answer is buried below emotionally charged nonsense
Yep, the thing is actual malware which for some reason gets a pass from Google/Apple.
That kinda makes Apple and Google malware too IMO, I should really switch to Graphene…
Yeah it’s been over a decade since I’ve dealt with the Apple App Store. But at the time, when publishing an app, they did all of this review and analysis of your app and they did not allow downloading additional executable code IIRC. Though if you are clever enough, you can get around that.
Ok, so Bytedance does exactly what Microsoft, Google and Apple do. Got it.
All 3 can and do run arbitrary code on their platforms. All three share your data with third parties. All three encrypt stuff in their codebase and especially google tries it’s hardest to break networking standards just to obfuscate what their code is doing.
… And two of them can be sued by the DoJ and forced into revolving compliance evals .
… if we had a non-toothless DoJ; I get it. But the ability is there.
That’s just AB testing, downloading over https, and having DRM. Every app on your phone does this, but it sure sounds scary when framed that way.
Every video game you have does the same thing too.
You’re doing the same thing Republicans do when they go into great detail about food ingredients to make salt sound scarier than it is.
Edit: You better also remove this foreign controlled app, targetted at children, that can download new code outside of the app store updates
https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/
“There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary.”
Obviously, the app creator can write whatever code they want into the app. If they want to update it, including to run an AB test, they can do a new version.
The only reason for unzipping and executing random binaries on-demand, outside of the normal app update process, is if you want to specifically target one individual or a group of individuals and enable functionality specifically for them that is custom to those particular people. Maybe you just have specific needs for them that aren’t served by the overall process, or maybe what you want to install is secret enough that you don’t want security researchers getting their hands on it. That second one would be consistent with the obfuscation around even the stock behavior of the app.
I am obviously not talking about HTTPS when I say “encryption to thwart any attempt to analyze it.”
If you can find me a large app that doesn’t have that capability then I’d be shocked. This is extremely common behavior for apps, and every piece of software I have ever been employed for has done this. That code is also still sandboxed by iOS and Android and has to go through the same APIs to interact with the OS, unless Pegasus found a way to infiltrate via app payloads.
This is one of those things that sounds really scary if you go into extreme detail and the other party doesn’t have enough experience to realize that it’s normal; like the way republicans talk about “hyper processed foods” and seed oils.
I know you’re not talking about https, which is why I mentioned DRM too. Nintendo encrypts all of their software, which is why they were able to DMCA Switch emulators.
Show me where in the Chrome or Firefox app there is code to download an executable – not a versioned update to the app through the Play Store, but a random chunk of code – and run it.
In iOS, sure, just give me the app source code and… oh wait, the compiled apps from the store are also obfuscated, guess I can’t search the code for you.
On Windows though you can look at what process runs when you click “update and restart” in Firefox or Chrome. Both have an updater service that is just there to run an update exe with admin permissions. Both could be used for the same attack vector you’re afraid of. Every
{softwarename}_helper.exeis the same thing.Chrome on iOS can execute javascript and has a history of vulnerabilities using that code execution, so much so that I even had to use the browser to jailbreak once, so I am not sure what point you’re trying to make other than fear mongering. You also still haven’t addressed the fact that the code execution is still sandboxed. Any app that uses electron can download a zipped bundle of code and run it as well. Also any app with a built-in web browser is allowed to do this
But you can also just look at Bloons TD 6 and their “downloading new content” windows when the game starts.
Let’s also look at the comment from the reddit thread you originally linked.
Yeah that’s pretty normal, even javascript can get that just to render a page. I don’t like that it’s normal, but none-the-less
Yeah this is normal too, and imo a huge issue. On windows there’s even an unprotected API for it. Again, I don’t like it, but it is normal.
Sketchy as hell, I agree, but every app you give local network access to does the same, so we should ban Messenger too.
Every banking app and Pokemon Go do this. This one can be very dangerous if you’re jailbroken.
Normal for social media. Shitty, but normal. We should just ban this feature
As does Adobe Premier Pro and Final Cut. Sketchy again, but maybe we should just ban proxying without notifying the user.
Edit: The source your reddit source gave is agreeing with me. https://www.zimperium.com/blog/zimperium-analyzes-tiktoks-security-and-privacy-risks/
Their other source appears to not do anything and gets “suspected phising” warnings on firefox https://penetrum.com/research/
This is a pretty impressive amount of deflection.
“All apps on iOS are obfuscated, so it’s not important that TikTok on Android takes extra trouble to obfuscate itself in a very weird way which other Android apps generally don’t do.”
“All Windows apps work by downloading new binaries for themselves, because there’s no package management, so it’s not important that TikTok on Android takes extra trouble to bypass the package management and enable downloading custom per-user executables and running them.”
“Some apps have vulnerabilities by accident, so it’s not important that TikTok has a remote code execution vulnerability built in on purpose.”
“Apps have a security model, which by the way can be jailbroken, so it’s not important if something malicious happens within the app. Actually, forget what I said about jailbreaking.”
You haven’t actually addressed anything I said, just threw a whole bunch of words about related topics to make it sound like what I described about this particular topic is, within the scope of this topic, a normal thing. It’s not.
I directly addressed what you said, and your source, and your source’s sources. And after checking your source this entire argument feels like a waste of time because the claim about TikTok is a “trust me bro” from a Reddit comment in a deleted post. I however trust him, because every app can pull and execute JavaScript. Hell I even gave you an example of one that does the exact same thing and is targeted at kids (Bloons). You keep framing what TikTok does as a vulnerability even though it is explicitly allowed by Apple.
If you want to choose to be willfully ignorant to how bad app and data privacy is across the entire App Store then that’s your prerogative.
Caring about this obfuscation is comical and directly leans into my point about laymen getting scared by things every app does. Wait until you hear about denuvo and dynamic obfuscation and the execution capabilities every single video game made since the 90s has.
My point isn’t TikTok good, in fact I have it blocked on my network as well as all of China on a region block; my point is that TikTok is not uniquely bad enough to justify a ban for “security and privacy” while still allowing Meta and Twitter to exist. Meta specifically is worse because Messenger does literally everything that redditor claims TikTok does.
I think we’re done here. I could repeat myself but it would be a waste of both our time.
There is a difference in the data gathered and where it goes. But just like the cheap
losers sealioning to invert the how-do-you-know question hoping people forget the pedigree of the information isn’t the same, it’s easy for people to both-sides data gathering too.
And I say that’s fine. HAVE it so gathered data must go through a Clearinghouse or two (a gov entity eg SeaLandia or an org like fsf) so it’s provably anonymous and then we carry on. To me, this is the result of the discussion we need to have around who gets to spy on you and how we choose that to get benefits at reduced exposure to risk.
Just, it’s not the same.
Is this a bot response? Where did I mention the US Government buying through a clearing house?
I am not arguing we shouldn’t ban tiktok, I am arguing that they’re not unique and if we’re going to ban them then we should ban Meta too because they are worse. Meta and Twitter have already done the things people are afraid of tiktok maybe doing in the future.