Penetrum Security -- The Difference
Penetrum Security Analysis of TikTok versions 10.0.8 - 15.2.3
TikTok is a mobile application in which users can view, upload, like, duet, and share videos with one another. This mobile application seems harmless, with 66% of its users worldwide being under the age of 30 years old, and within the US 60% being within the age range of 16-24 years old (https://mediakix.com/blog/top-tik-tok-statistics-demographics/). Seems like fun making silly videos and memes, correct?
However, 37.70% of the known IP addresses linked to TikTok are Chinese. On TikTok’s ISP's privacy policy, they declare that they harvest and share your data with third-party vendors and business partners (https://rule.alibaba.com/rule/detail/2034.htm#AA). What if I told you that TikTok harvests an excessive amount of data and that this can all be proven right now? In this whitepaper, we here at Penetrum are going to prove that there’s an excessive amount of data harvesting, some vulnerabilities in TikTok’s code, as well as a few things that may make you feel pretty uncomfortable. Buckle up folks, it's about to get pretty wild. (All research will be publically available for all to see at https://penetrum.com/research/)
Overview:
* 37.70% of known IP addresses linked to TikTok that were found inside of APK source code are linked to Alibaba.com; a Chinese sanctioned ISP located in Hangzhou.
* Alibaba’s privacy policy states that they share and distribute personal information of its users
* TikTok in itself is a security risk due to the following reasons;
* Webview, and remote webview enabled by default
* Application appears to take commands over text and receives them piping them directly into Java as an OS command
* The application that uses Java reflection while decreasing VM load time can also be taken advantage of by malicious users and has a CVE score of 8.8
* This application has been observed to log sensitive information such as;
* Device information
* User GEOlocation
* Monitors user activity
Links to Chinese IP addresses
Now it’s not a secret that TikTok is a Chinese mobile application, but just how much of this application is sanctioned and controlled by the Chinese? Well, according to our research, 23/61 IP addresses (or 37.70%) are stationed outside of the US with a majority of them being stationed inside of China and hosted by an ISP named Alibaba. Using the API from IPvoid and source code from the APK we were able to extract around 61 unique IP addresses. From there we used IPVoid’s API to discover the information associated with them. Below is just a single example of what we received back:
On the plus side, the IP address isn’t detected to be doing any nefarious activities, but that doesn’t change the fact that it is still inside of a Chinese controlled ISP. Now what we ask you to do is to keep this information in mind while we continue and come back to this shortly.
Alibaba’s Privacy Policy
Having mentioned above about the Chinese connections, we need to get into exactly how Alibaba protects, and uses end-user private information. To read fully on how it is processed and how it is handled you can follow this link: https://rule.alibaba.com/rule/detail/2034.htm#AA, which will take you to their disclaimers page. Let us highlight a few things about the disclaimers that stuck out to us personally;
* you will be asked to provide certain contact information that is necessary for the registering for a Platform account on behalf of a Buyer or Seller, including name, address, phone number, email address, job title, and department;
* We will collect details of user activities, transactions, and interactions on the Platform including information relating to the types and specifications of the products and services purchased, pricing and delivery information, dispute and complaint records, communications between users, and any information disclosed in any discussion forum.
* We may disclose (or provide access to) personal information to the following categories of recipients:
* Third-party business partners, service providers, and/or affiliates of Alibaba.com engaged by us or working with us to assist us to provide services to you or who otherwise process personal information for purposes described in this Privacy Policy or notified to you when we collect your personal information. Categories of these partners or service providers include:
* cloud computing service providers to provide cloud storage services;
* third party rating / reviewing service providers to carry out reviews of our services with customers if you choose to participate in reviewing or rating Alibaba products and/or services;
Now all of this seems pretty straightforward. That is until you realize that Alibaba was forced to shut down their servers due to a massive data leak in or around July 2019 (https://www.breakingasia.com/news/china-alibaba-shut-down-server-after-data-leak/). A total of 899GB+ of data was exposed to cybercriminals for over half a month. At that time Alibaba was (we assume) cooperating with TikTok on a daily basis. This not only puts Chinese citizens in jeopardy but American citizens as well. Before this investigation, a few of us had been using TikTok for well over a year, and we never heard anything about this 899GB+ data leak from their Chinese hosting ISP… how about you? Something from this leak that we would like to personally highlight is the following paragraph (keep this in mind for later):
If credit evaluation reports from the mobile loan apps weren’t bad enough, Anurag’s team also discovered 4.6 million unique entries of device data, including GPS locations, full lists of mobile contacts, SMS logs, IMSI numbers, IMEI numbers, device models and versions, stored app data from previous installations, and memory data (composition and content of mobile phone memory).
TikTok and What Data is Collected
It is known that mobile applications collect data, which they use to generate income and for targeted advertising for the end-user. However, when does extracting data hit the threshold of too much? Is it necessary for a mobile application to harvest the IMEI number of a phone, it's screen resolution, or the SIM card provider information? Is it normal for an application to have a section that enables tracking, collects GPS coordinates, and more? In this section we will get into what data is collected by TikTok. (All code seen here is from version 15.2.3).
The above image is pulled from the source code of TikTok (you can see all the code and the ones specified by downloading our research at https://penetrum.com/research/), the above source code contains a tracker named AppsFlyer. AppsFlyer is, according to their website, an “enterprise CRM-like SaaS platform that allows app developers to store, own, analyze, and control their customers’ data” (https://www.appsflyer.com/product/security-and-privacy/). That being said, it is clearly stated in the code that they use it for monitoring. To what extent? We are not sure, due to obfuscation and anti-VM precautions taken by TikTok after version 10.0.8. What we can derive from the code is that when the variable shouldMonitor is set to true the application enables a tracker. One of the tracking methods AppsFlyer uses is location data, which is used to process user location to produce location-based advertisements.
Continuing with the location tracking, the code above is also pulled from the APK source code. The requested permission android.permission.ACCESS_FINE_LOCATION is used to allow the API “to determine as precise a location as possible from the available location providers, including the Global Positioning System (GPS) as well as WiFi and mobile cell data.” (https://developers.google.com/maps/documentation/android-sdk/location). The protection level of this permission is labeled as “dangerous” and another permission (which is also requested by the application) is given as an alternative to the use of this one.
Continuing on from here we come across this code, which is a file filled with data harvesting. It collects everything from the current OS version to running network events (WiFi SSID changes, etc), and even the IMEI number of the associated phone. This is extremely alarming to us due to what was said in the above data leak “including GPS locations, full lists of mobile contacts, SMS logs, IMSI numbers, IMEI numbers, device models and versions, stored app data from previous installations, and memory data”, now we at Penetrum cannot make a direct connection to this breach and TikTok, but it seems very suspicious that the data collected is mentioned in a breach that happened to their ISP provider. We understand that data is needed to be collected for the developers to thrive and continue producing good code for the application. But, where do we draw the line when it comes to too much data?
The above code taken from the TikTok APK, shows the collection of cellphone data, specifically the IMEI of the cell phone. The IMEI number of a phone is literally created to identify the phone. The IMEI when used by trackers is usually used to determine whether an application is re-installed on a phone and give an analysis of other applications that are installed on the phone. Essentially, it creates an extremely realistic and graphic fingerprint of your phone which can be used to determine everything you have installed. Getting infor