TikTok Reverse-Engineered : A Peek At How It Works!

TikTok is getting exposed as a really bad piece of malware, and it doesn’t help when people like bangarlol claim to have reverse-engineered it, giving us a peek at how it all works!

 

TikTok : Controversies After Controversies

TikTok is a Chinese social networking service built around short video clips. Developed and owned by ByteDance which is based in Beijing, it is very popular amongst young people and even children.

This has led to numerous controversies as TikTok proved slow or reluctant to remove dangerous or racist videos :

TikTok has also been dogged by accusations of snooping on users, but that got serious recently, when they were caught twice spying on what we typed, followed by a ban by the Indian government.

 

TikTok Reverse-Engineered : A Peek At How It Works!

bangorlol, who claims to reverse-engineer apps for a living, claimed to have figured out how TikTok worked, and what it was “harvesting” from its users.

Data Harvesting Gone Mad?

He warned that TikTok is a “data collection service” that is “essentially malware that is targeting children“, collecting everything they can get their hands on, even data unnecessary for the features they offer.

  • other apps that you installed, even those you deleted!
  • everything on your network, including network configuration and devices!
  • your GPS location – roughly once every 30 seconds!

This data collection is so critical that the TikTok app is disabled if you block communications to their data analytics host at the DNS level.

TikTok Reverse-Engineered : A Peek At How It Works!

What You Don’t Know Can’t Hurt You?

The TikTok app itself is specially designed to obfuscate (make it difficult to figure out) what they are really doing.

The First Taste Of Fame…

According to bangorlol, the TikTok service will entice you by letting your first post get more likes, giving you a taste of going viral.

This will hopefully hook you into using their app, which would lead to more users as your friends will want to join in too.

Remote Payload?

bangorlol found code that allows for the downloading of a remote file, unzipping it and then executing the binary – something no legitimate app will ever do.

Can’t Be Bothered With SSL But Encrypt The Data They Collect?

Apparently, TikTok has not been using SSL (HTTPS) for a long time, leaking user email addresses through their HTTP REST API, as well as the real names and birthdays of their users.

Yet they took the effort to encrypt all of the data they collect from their users, even changing the encryption keys with every update, so you don’t know what they’re collecting.

 

TikTok Reverse-Engineered : The Full bangorlol Post

For those who want to read bangorlol’s full post, here it is :

I reverse-engineered the app, and feel confident in stating that I have a very strong understanding for how the app operates (or at least operated as of a few months ago).

TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it.

  • Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
  • Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)
  • Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
  • Whether or not you’re rooted/jailbroken
  • Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC
  • They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

The scariest part of all of this is that much of the logging they’re doing is remotely configurable, and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing. There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.

They provide users with a taste of “virality” to entice them to stay on the platform. Your first TikTok post will likely garner quite a bit of likes, regardless of how good it is.. assuming you get past the initial moderation queue if thats still a thing. Most users end up chasing the dragon. Oh, there’s also a ton of creepy old men who have direct access to children on the app, and I’ve personally seen (and reported) some really suspect stuff. 40-50 year old men getting 8-10 year old girls to do “duets” with them with sexually suggestive songs. Those videos are posted publicly. TikTok has direct messaging functionality.

Here’s the thing though.. they don’t want you to know how much information they’re collecting on you, and the security implications of all of that data in one place, en masse, are fucking huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can’t see what they’re doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.

For what it’s worth I’ve reversed the Instagram, Facebook, Reddit, and Twitter apps. They don’t collect anywhere near the same amount of data that TikTok does, and they sure as hell aren’t outright trying to hide exactly whats being sent like TikTok is. It’s like comparing a cup of water to the ocean – they just don’t compare.

tl;dr; I’m a nerd who figures out how apps work for a job. Calling it an advertising platform is an understatement. TikTok is essentially malware that is targeting children. Don’t use TikTok. Don’t let your friends and family use it.

 

Recommended Reading

Go Back To > Cybersecurity | Software | MobileHome

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!


Comments

comments

About The Author

Leave a Reply

%d bloggers like this: