Are we safe from TikTok?

tiktok logo

We all know that one doomsday guy who always goes on and on about how "Social media companies are spying on us and our private collecting data - we should avoid social media like the plague"

Well... I am that guy 😅. I was talking to a friend about reducing screen time. My biggest offenders are YouTube and mobile games, hers was TikTok. She shared some funny tiktoks and i noticed that each time she did they all came with a tracking ID tied to her account and a message to join her on TikTok. Now this isn't strange behaviour at all in this new world of ours but there was something peculiar about how they were going about it. It somehow felt imposing... i couldn't explain it but i had a strong urge to download the app as well as a sense of dread at the same time.  

I remembered all the bad press TikTok had been getting these past two years and decided to take a look into it myself before i downloaded the app.

The History of Tiktok

Remember the good old days of Vine? Back in the early 2010s Vine was just about the closest thing to TikTok. Right around that time a Chinese startup now called ByteDance was formed. Unlike any ordinary startup, the weird thing about ByteDance was how many Chinese government officials were employed there, a mystery which would later be revealed.  

ByteDance's first goal was to create a news app. Instead of the usual news format of reporters and editor creating the news and publishing it, ByteDance was working on a state of the art algorithm to serve as the backbone of their news app.

Their news app, Headlines, was a genius invention. The algorithm chose and curated the news for each individual user, leaving no need for editors and reporters but perhaps most importantly, serving users exactly what they wanted to consume. The app was a hit! Gaining 10 million users in just 3 months.

The success of Headlines was soon followed up a few years later by another app, Douyin, the direct ancestor of TikTok. Within just a year it had gained around 100 million users, with over a billion videos viewed per day! With this, the stage was set, ByteDance was ready to go international. 

They named the international version of Douyin "TikTok" and launched it. Soon enough people caught wind of it and was fairly successful. But as it got more successful there was another competitor in the space, Musical.ly. Musical.ly was an app that allowed its users to create 15-second to 1-minute lip-syncing music videos and choose sound tracks to accompany them, use different speed options (time-lapse, fast, normal, slow motion, and epic) and add pre-set filters and effects.

ByteDance saw the potential of Musical.ly and acquired it for a whopping US$900 million. Bytedance consolidated the user accounts of Musical.ly and TikTok, merging the two apps into one under the name TikTok. Former Musical,ly users could still produce videos between 15 seconds and one minute, but could now access a larger number of filters and effects, as well as smoother editing and publishing systems and higher-quality code. And thus TikTok as we know it was born.

Investigation

Fast forward to today, whenever you're reading this, a lot of governments have banned TilTok either completely or atleast to government officials and their families. I'm very skeptical in nature so this alone isn't enough of a deterrent but when both former US president D.J. Trump and current president J. Biden both agreed that TikTok was a credible threat that caught my attention! Those guys seem to go out of their way to disagree on everything 😂.

Given the amount of negative press TikTok has been getting i figured they would have went to extreme lengths to obfuscate any nefarious code from their app. With that in mind i went to a third-party app store, looked for the oldest version of TikTok - thanks to The Wayback Machine i was able to get my hands on v10.xxx upwards.  

Heavy Chinese Ties

chinese ip addresses

The first thing i found analysing the app were all the IP addresses TikTok was calling to for sending and receiving data. I found:

  • Total: 81 IP addresses
  • Live: 32 IP addresses
  • Dead: 48 IP addresses
  • Chinese owned: 58 IP addresses 

No one is surprised that TikTok calls to Chinese IP addresses but what was truly mind blowing was just how many there are. 58/81 of the IP addresses were Chinese, this makes it 71.6% of all the IP addresses (of the ones i found anyways). Of those 58, 48 belong to Alibaba and 10 belong to ByteDance. What worries me about this is the fact that ByteDance basically work with the Chinese government, i wouldn't expect different for Alibaba.

Invasive Tracking

After tediously going through hundreds of libraries and classes i finally stumbled upon something interesting. A library called AppsFlyer. Check this out:

apps flyer

WIkipedia says: 

AppsFlyer is a SaaS mobile marketing analytics and attribution platform 

So the library basically is for tracking, collecting and attributing data and analytics of the the app's users. Check this out:

collecting EMEI

They are collecting IMEIs. This is a unique identifier of each particular cell phone. You can think of it as your phone's fingerprint. 

Check this out as well:

They are also collecting location info.

Just when i though i had seen the worst of it i saw something even scarier....

These are some permissions that are REQUIRED for the app to function, as in, MANDATORY!. Let's go over them:

  • Camera: Autofocus
  • Location: Network, GPS
  • Microphone
  • Touch Screen
  • Screen: Portrait
  • Telephony
  • Wifi  

Now some of these i can understand. The app couldn't work without the phone's touch screen, portrait mode and mayyyybe WiFi. But why would the camera and autofocus be mandatory right off the bat. I would understand it being an optional requirement when someone wants to create content, same goes for the microphone. Unless one is recording a video from the app it really doesn't need to be constantly on. WHY does the camera and microphone HAVE TO BE required regardless of what you're using the app for.

How about the location, network and gps? Why on Goku's earth would TikTok deem it MANDATORY to know your location, network and gps for you to use the app.

What about Telephony? What even is that? Developers.android.com says telephony

Provides APIs for monitoring the basic phone information, such as the network type and connection state, plus utilities for manipulating phone number strings.

Now, what APIs are provided by telephony?

Yuuuup! An app for watching and maybe creating videos made it MANDATORY to use a package that gives them access to APIs that basically can:

  • know your cell location
  • know your cell info
  • know your mobile data activity
  • know the precise state of your data connection 
  • get notified when your network carrier and/or its configuration changes
  • know the cause for your disconnected calls
  • get indicators of call forwarding
  • know the state of your phone calls
  • know your network carrier 
  • know the status of your data activation
  • know the state of your data connection

I haven't found any evidence of malicious behaviour in TikTok's code but it goes without saying that their parent company, ByteDance, has employees from the Chinese government - most of their IP addresses call to Chinese data centres and all Chinese companies are required by law to provide whatever data the government wants. All this on top of the fact that they are COLLECTING all manner of private information from ALL its users.

The Experiment

So after all these findings i decided to download the app myself and test whether they are actually using the data they are harvesting. For the experiment to work i needed to make the sure i didn't contaminate my account whatsoever. I needed TikTok to use its own algorithm without my input. 

With that in mind i created a blank account with a random username, random birthday and no initial interests. I started watching videos on the for you page and made sure not to open any tiktoks sent to me on the app so tiktok won't attribute my account to anyone else's. To test if they were listening to my conversations i started binge watching specific youtube videos on speaker whenever the Tiktok was running in the background. I spent a whole Saturday watching Connor Price and Dax videos. Sunday morning on my for you page i got this:

Now, if this is not evidence enough i don't know what is. 

Conclusion

Clearly TikTok is harvesting all manner of private information about us from our phones: listening to our private conversations, tracking our cell location, tracking our gps, tracks heuristics about our phone calls, etc.

With the combination of IMEI, network career, cell location and gps TikTok basically knows where exactly you are even after you change your mobile carrier and network. On top of that since you happily give them your name, date of birth, allow the app to go through your contacts to "find your friends", all this coupled with the fact that they already have access to your camera along with autofocus and are clearly listening to your conversations - this means that TikTok knows who you are. As in, YOU! THEY KNOW YOU! They know where you stay, where you work, who your friends are, what you talk about with everyone you talk to (EVERYTHING YOU TALK ABOUT with EVERYONE you talk to). 

The question is, why should we care about any of that? Especially since all this information seems to better our experience on the app.

If you live in a country where the government protects your rights this seems like a valid question. But if, like myself, your native country has gone through its fair share of authoritarian regimes you know the value of privacy and relative anonymity. When your government wants to control every aspect of your life, including what you can and cannot say your home is a haven - there you can be free to criticise the government without fear of disappearing. But with apps like TikTok actively spying on its users, you're never free, ever.

The problem with living in a free country is the assumption that it will always stay that way. That your leaders will forever remain benevolent. From personal experience i know that they can change in an instant, and when they do, you need to make sure you're not sharpening your enemy's tools for them. For me this means taking control of my privacy and security, and TikTok is a MASSIVE violation of both. I want don't the Chinese, or any government for that matter have access to my entire private life and location at all times. The same goes for any company or cooperation.

Right now it's the Chinese government doing the spying so it's easy to feel like you're safe. If we let China do this what then stops other governments from doing the same? Africans know better than anyone else that during their fight against colonialism a lot of the countries were sponsored and helped by China. Today most of the industrial and infrastructure development is sponsored by China. Most consumer products are from China as well. I'm sure that the super power that has helped your country since the late 20th century till this day definitely does not influence your government at all, right? African governments are famous for protecting the liberties of their citizens....

My advice: Delete that app! If you really need to use it stick to using the web version on your browser.Â