Esther a.k.a U039b🧵With the growing concerns about #TikTok, I finally decided to have a look to it. In this thread, I will cover a review of its privacy policy and a quick dynamic analysis of the Android app with @pts and explain its limitations.
First of all, TikTok's privacy policy is quite explicit regarding what data is collected. Obviously, it collects the information the user provides such as profile information, contacts, payment card information or other third-party payment information.
Next, TikTok automatically collects a wide range of information such as keystroke patterns or rhythms, IP address, approximate location based on SIM card, IP address or location service. The app automatically detects and collects characteristics and features about the videos, images, and audio recordings by identifying objects and scenery.
The platform also infers information such as gender or interests and certainly more based on what we watch, what we like, the location where the app is used, etc. The purpose here is to build a profile in order to “suggest" relevant content.
Next, #TikTok gathers information from partners without explicitly telling who they are. It gets from partners information such as mobile identifiers, email address (plain or hashed), user ID and actions taken outside of the Platform.
#TikTok not only gathers information from partners, it shares some too without listing them. The platform shares unlisted information with advertisers to provide targeted ads and share technical and usage information with data partners, analytics services.
XTO_LG
Now, jump in the dynamic analysis of the Android app. As you may know, #TikTok app is heavily obfuscated and collected data is encrypted before transmission. The encryption is done in a part of the app that I was not able to instrument with #Frida. So, let's grab the low-hanging fruits.
By running the app on a rooted device and using PTS's #PiRogue, it is easy to retrieve TLS encryption keys, AES/RSA operations, socket activity and stack traces. We are then able to decrypt TLS traffic and decrypt encrypted payloads, except for traffic directly related to #TikTok
After a quick look at the captured network traffic, it appears that the app embeds 3rd-party SDKs such as AppsFlyer or Google Firebase as detected by @ExodusPrivacy. Note that AppsFlyer's SDK encrypts the data before transmitting it over TLS. It has probably something to hide.
AppsFlyer collects information related to the device such as sensors, brand, fingerprint, advertising ID, carrier, boot time, etc. We find also app usage data such as first launch, time between launches... This data collection is done without any consent or any other legal basis.
Yes #TikTok collects a lot of info about the user, user's content, user's activity, user's device… Embedded SDKs collect data too, as usual. If some data processing is legitimate, other such as analytics, targeted ads cannot be based on legitimate interest. The user's consent is required BEFORE the data collection takes place. The Privacy Policy is not a contract and cannot be considered as such. The sole purpose of this document is to inform the user of the various processing of their data.
Marud 
@U039b super intéressant ce thread, même si, ô surprise, y'a pas de surprise.
Mel 
🛸👽🌵@U039b You know what'd be funny. to flood them with datapoisoned data with random fields filled with random strings, just to mess up their metrics.
Robert Riemann 🇪🇺@U039b that's a screenshot of MitMProxy?
@rriemann No, it is a screenshot of a tool named Colander I am developing part of https://pts-project.org/. I don't use mitm-proxy anymore since it implies lots of drawbacks when used in the context of legal cases.
More details: https://pts-project.org/blog/year-2022-in-review/#colander
Open-Source Platform for Mobile Device Forensics and Digital Investigations
PiRogue Tool Suite (PTS) is a comprehensive, open-source digital investigation platform designed to empower organizations in an increasingly complex digital landscape. We provide accessible and powerful tools for network analysis, mobile forensics, and collaborative case management, specifically tailored for civil society, digital rights defenders, researchers, journalists, and regulatory bodies.
Erik Kemp 🇪🇺Ha @djoerd , thanks for sharing this post! Interesting deep dive in the privacy policy, business model and inner workings of the app. Thanks @U039b !
I was just live on our local broadcasting station to reflect on the safety issues concerning Tiktok (in Dutch): https://www.youtube.com/watch?v=2tjoM-EX9m0
We will have more conversations about Tiktok (and the rest of the bunch) the upcoming weeks (and probably years) so this thread is a valuable addition to the file I'm building up!
