The Truth Behind TikTok

The Truth Behind TikTok

TikTok has taken the social media ecosystem by storm. Initially laughed off as a fleeting fad, the app proceeded to blast past 1 billion users faster than any other social media platform, with two-thirds of American teens reporting they use the app daily. With such mind-boggling growth has come a slew of suspicion and skepticism about the app’s data collection practices and ownership.

But it seems like we’ve seen this all before. When Facebook was revealed to be selling off user data to the company Cambridge Analytica, which used it to influence the US elections, the Internet was ablaze with outrage. Since then, it has become common knowledge that if a platform is free, then you, as the user, are the commodity. Your data is more valuable to app providers than a monthly subscription fee, and what they collect and what they do with it is often obfuscated in their terms and conditions and their app’s architecture.

So it begs the question, is TikTok really any worse than the other social media platforms we’ve all grown accustomed to harvesting our data over the years? Or is it just more of the same, with fresh outrage due to its surge in popularity?

What data does TikTok collect?

As with its predecessors, when you agree to TikTok’s terms and conditions, you are agreeing to allow it to track your behavior in detail. Meta (the parent company of Facebook, Instagram, and Whatsapp), Twitter, and YouTube, all track information about what you interact with and how within the app, as well as within other apps on your phone. TikTok behaves similarly, collecting large swaths of data within the app and across other apps on your phone. So this, in principle at least, is nothing significantly different or worse than its predecessors.

However, the way TikTok collects data, the thoroughness of what it collects, how it avoids checks and balances that other platforms adhere to, and what it does with that data, are what sets the relative newcomer apart.

When you agree to TikTok’s terms and conditions, you are allowing the app to access and copy incredibly sensitive data from almost everywhere on your phone: your contacts, your camera (including taking pictures and recording videos), clipboard content, badge notifications, your SD card (including reading and modifying content), keystroke patterns and rhythms, recording audio, details about your device and carrier, your location by time, facial details, any products that come within your camera view, emails and other contact information, your voice/vocal patterns, your name and age….

It’s A LOT. And this is not even an exhaustive list of everything you agree to share when you use the app. For more on the types of data TikTok can access, check out this article in TechCrunch, and this one on Gizmodo.

What else can the TikTok app do?

The most troubling thing is that the above-mentioned data (and all of the rest that TikTok collects) is not even the whole story as far as the invasiveness of the app. The way the app behaves (and that you consent to it behaving on your phone) makes it more similar to malware in many crucial areas.

TikTok can view and has access to all of your WiFi and network connections, it can control vibration settings, request package installs on its own, control sync settings, record and RE-ORDER any running apps, change your audio and vibration settings, send sticky notifications, prevent your phone from sleeping, and install shortcuts itself. Again, this is just a tiny sample of all of the functions the app can invoke. For more, you can dive deeper into this analysis on ProofPoint.

And even the full list of troubling functions visible to outsiders is just the tip of the iceberg. The code of the app is designed in such a way that there are likely many other malevolent features that we can’t even fully evaluate. The code circumvents Apple and Google code audits and analysis and uses its own native libraries, which are much harder to track than publicly available libraries. These native libraries also make it much more difficult to reverse engineer to begin to comprehend what’s actually happening behind the scenes. As if the functions visible to security professionals weren’t troubling enough, it’s likely that there’s much more to it than meets the trained eye.

Where does TikTok send user data?

But wait, there’s more. It’s clear that the TikTok app collects far more data and has far more control over your device than any app should be able to. But what it does with that data, and to whom it sends it, adds another dimension of potential risk.

Whereas other social media apps, with the exception of YouTube, tend to send the majority of the user data they collect to first parties (i.e. their own servers, or related subsidiaries), TikTok sends user data to a wide range of murky third parties. The reason we say “murky” is that TikTok has gone to great lengths to blur the lines between local data collection and storage and to whom they send your data. While they claim that data is stored in the US and Singapore, it seems very likely that a huge amount of user data is sent to China, and to unknown third parties within the state.

This makes perfect sense, as the company’s ownership is in China, its leadership is in China, and the vast majority of its development is in China. Not to mention, numerous data breaches of its US and Australian servers by Chinese entities have already been documented. And within China, the Chinese state can get access to any data they want from any company they want. While the exact scope of how much access the Chinese state has to TikTok user data is unclear, it’s plain to see it’s extensive, and this presents a multitude of security risks on many levels.

Is it worth it?

Anyone who has used TikTok has most likely noticed how easy it is to keep scrolling. A quick, impulsive check of the app can turn into hours of lost time in the vortex. On one hand, you have to hand it to the developers and UX/UI designers for creating an immersive experience. Creating such an addictive app for such a wide section of the population is no easy feat. It’s clear that it’s enjoyable, and it’s beside the point to pass judgment on those who enjoy using it.

Sharing videos and engaging with others on the platform has become a beloved pastime for over a billion users. It’s a new paradigm of expression, a unique platform for the modern digital experience. And all of this is extremely impressive, all security issues aside.

However, the problem is, is this novel mode of interaction and entertainment worth the risks that the app itself presents? Many would argue that they have nothing to hide, that their data isn’t valuable, and they don’t care who’s collecting it. But it’s more about the bigger picture: if EVERYONE’S data is being collected and analyzed in such granular detail, if nefarious actors can potentially control the devices of a huge part of a foreign population, this is no longer about personal data protection, it’s about state security on a macro level.

This might be a compromise that far outweighs the entertainment value TikTok provides, and only time will tell how the population and state governments respond to the risks it presents.


About the author

Citadelo is a firm of ethical hackers on your side. We think like hackers, but we don't abuse it. On the contrary, our main goal is to reveal vulnerabilities without causing damage. We have been conducting simulated attacks for our clients since 2006
Show more from author

Related blogs