In iOS, sure, just give me the app source code and… oh wait, the compiled apps from the store are also obfuscated, guess I can’t search the code for you.
On Windows though you can look at what process runs when you click “update and restart” in Firefox or Chrome. Both have an updater service that is just there to run an update exe with admin permissions. Both could be used for the same attack vector you’re afraid of. Every {softwarename}_helper.exe is the same thing.
Chrome on iOS can execute javascript and has a history of vulnerabilities using that code execution, so much so that I even had to use the browser to jailbreak once, so I am not sure what point you’re trying to make other than fear mongering. You also still haven’t addressed the fact that the code execution is still sandboxed. Any app that uses electron can download a zipped bundle of code and run it as well. Also any app with a built-in web browser is allowed to do this
But you can also just look at Bloons TD 6 and their “downloading new content” windows when the game starts.
Let’s also look at the comment from the reddit thread you originally linked.
Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
Yeah that’s pretty normal, even javascript can get that just to render a page. I don’t like that it’s normal, but none-the-less
Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload - maybe using as cached value?)
Yeah this is normal too, and imo a huge issue. On windows there’s even an unprotected API for it. Again, I don’t like it, but it is normal.
Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
Sketchy as hell, I agree, but every app you give local network access to does the same, so we should ban Messenger too.
Whether or not you’re rooted/jailbroken
Every banking app and Pokemon Go do this. This one can be very dangerous if you’re jailbroken.
Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC
Normal for social media. Shitty, but normal. We should just ban this feature
They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication
As does Adobe Premier Pro and Final Cut. Sketchy again, but maybe we should just ban proxying without notifying the user.
Over the last few months, we’ve analyzed top banking apps and top travel apps, related to security and privacy issues. Much like TikTok, some of the results are alarming
Their other source appears to not do anything and gets “suspected phising” warnings on firefox https://penetrum.com/research/
“All apps on iOS are obfuscated, so it’s not important that TikTok on Android takes extra trouble to obfuscate itself in a very weird way which other Android apps generally don’t do.”
“All Windows apps work by downloading new binaries for themselves, because there’s no package management, so it’s not important that TikTok on Android takes extra trouble to bypass the package management and enable downloading custom per-user executables and running them.”
“Some apps have vulnerabilities by accident, so it’s not important that TikTok has a remote code execution vulnerability built in on purpose.”
“Apps have a security model, which by the way can be jailbroken, so it’s not important if something malicious happens within the app. Actually, forget what I said about jailbreaking.”
You haven’t actually addressed anything I said, just threw a whole bunch of words about related topics to make it sound like what I described about this particular topic is, within the scope of this topic, a normal thing. It’s not.
I directly addressed what you said, and your source, and your source’s sources. And after checking your source this entire argument feels like a waste of time because the claim about TikTok is a “trust me bro” from a Reddit comment in a deleted post. I however trust him, because every app can pull and execute JavaScript. Hell I even gave you an example of one that does the exact same thing and is targeted at kids (Bloons). You keep framing what TikTok does as a vulnerability even though it is explicitly allowed by Apple.
If you want to choose to be willfully ignorant to how bad app and data privacy is across the entire App Store then that’s your prerogative.
Caring about this obfuscation is comical and directly leans into my point about laymen getting scared by things every app does. Wait until you hear about denuvo and dynamic obfuscation and the execution capabilities every single video game made since the 90s has.
My point isn’t TikTok good, in fact I have it blocked on my network as well as all of China on a region block; my point is that TikTok is not uniquely bad enough to justify a ban for “security and privacy” while still allowing Meta and Twitter to exist. Meta specifically is worse because Messenger does literally everything that redditor claims TikTok does.
I looked even further into your claims, the zip downloading thing has zero evidence that I can find other than one guy on Reddit.
This is a pretty fair point. I think I saw one other analysis that was similar to the reddit guy, but most people who do security analysis of TikTok seem to say that it’s not especially nefarious, or any more so than the other ones (which are all pretty nefarious). I don’t know why I trust this guy and not those guys. I just found it credible and specific on the positive side, where the other side is proving the negative. But yeah, there might be a bit of confirmation bias there.
In iOS, sure, just give me the app source code and… oh wait, the compiled apps from the store are also obfuscated, guess I can’t search the code for you.
On Windows though you can look at what process runs when you click “update and restart” in Firefox or Chrome. Both have an updater service that is just there to run an update exe with admin permissions. Both could be used for the same attack vector you’re afraid of. Every
{softwarename}_helper.exeis the same thing.Chrome on iOS can execute javascript and has a history of vulnerabilities using that code execution, so much so that I even had to use the browser to jailbreak once, so I am not sure what point you’re trying to make other than fear mongering. You also still haven’t addressed the fact that the code execution is still sandboxed. Any app that uses electron can download a zipped bundle of code and run it as well. Also any app with a built-in web browser is allowed to do this
But you can also just look at Bloons TD 6 and their “downloading new content” windows when the game starts.
Let’s also look at the comment from the reddit thread you originally linked.
Yeah that’s pretty normal, even javascript can get that just to render a page. I don’t like that it’s normal, but none-the-less
Yeah this is normal too, and imo a huge issue. On windows there’s even an unprotected API for it. Again, I don’t like it, but it is normal.
Sketchy as hell, I agree, but every app you give local network access to does the same, so we should ban Messenger too.
Every banking app and Pokemon Go do this. This one can be very dangerous if you’re jailbroken.
Normal for social media. Shitty, but normal. We should just ban this feature
As does Adobe Premier Pro and Final Cut. Sketchy again, but maybe we should just ban proxying without notifying the user.
Edit: The source your reddit source gave is agreeing with me. https://www.zimperium.com/blog/zimperium-analyzes-tiktoks-security-and-privacy-risks/
Their other source appears to not do anything and gets “suspected phising” warnings on firefox https://penetrum.com/research/
This is a pretty impressive amount of deflection.
“All apps on iOS are obfuscated, so it’s not important that TikTok on Android takes extra trouble to obfuscate itself in a very weird way which other Android apps generally don’t do.”
“All Windows apps work by downloading new binaries for themselves, because there’s no package management, so it’s not important that TikTok on Android takes extra trouble to bypass the package management and enable downloading custom per-user executables and running them.”
“Some apps have vulnerabilities by accident, so it’s not important that TikTok has a remote code execution vulnerability built in on purpose.”
“Apps have a security model, which by the way can be jailbroken, so it’s not important if something malicious happens within the app. Actually, forget what I said about jailbreaking.”
You haven’t actually addressed anything I said, just threw a whole bunch of words about related topics to make it sound like what I described about this particular topic is, within the scope of this topic, a normal thing. It’s not.
I directly addressed what you said, and your source, and your source’s sources. And after checking your source this entire argument feels like a waste of time because the claim about TikTok is a “trust me bro” from a Reddit comment in a deleted post. I however trust him, because every app can pull and execute JavaScript. Hell I even gave you an example of one that does the exact same thing and is targeted at kids (Bloons). You keep framing what TikTok does as a vulnerability even though it is explicitly allowed by Apple.
If you want to choose to be willfully ignorant to how bad app and data privacy is across the entire App Store then that’s your prerogative.
Caring about this obfuscation is comical and directly leans into my point about laymen getting scared by things every app does. Wait until you hear about denuvo and dynamic obfuscation and the execution capabilities every single video game made since the 90s has.
My point isn’t TikTok good, in fact I have it blocked on my network as well as all of China on a region block; my point is that TikTok is not uniquely bad enough to justify a ban for “security and privacy” while still allowing Meta and Twitter to exist. Meta specifically is worse because Messenger does literally everything that redditor claims TikTok does.
I think we’re done here. I could repeat myself but it would be a waste of both our time.
Edit: this was originally further continuing the argument but it was really rude.
If you’re seeing this I apologize. I get heated easily
This is a pretty fair point. I think I saw one other analysis that was similar to the reddit guy, but most people who do security analysis of TikTok seem to say that it’s not especially nefarious, or any more so than the other ones (which are all pretty nefarious). I don’t know why I trust this guy and not those guys. I just found it credible and specific on the positive side, where the other side is proving the negative. But yeah, there might be a bit of confirmation bias there.
I edited my comment before I saw you responded. My comment was rude as fuck and I apologize
I just ignored that part lol
It’s all good, I appreciate it.
You didn’t deserve it regardless. Thank you for the patience.