When it is free, then your data is the price.
Let me begin this with a bang. TikTok is the most secured app in the world right now.
Yeah it really is a joke.
TikTok as you know, is being used by millions of users around the globe (except India right now) to share their ideas and passion in the form of videos over the internet. It is a short-form mobile video platform that is easy and fun to use.
But what about the security and privacy of the app ? Is the data really safe ?
Does TikTok collect too much user data ?
The answer to these questions is simple. It is a complete mess.
Recently I came across a Reddit thread posted by an user going with the name bangorlol where it is claimed that TikTok is nothing but a data collection service. It tracks and collects too much data that even Facebook and Instagram will be ashamed of themselves. Some of the details that they collect are related to,
- Phone Hardware
- IP of your phone, WiFi access point name, Router MAC address
- Whether your phone is Jail-broken or rooted
- Sometimes even the apps you have installed on your phone
- GPS ping/track your device when your phone location is on
- Monitoring user activity
These might sound normal to a few, but why does an app have to track my phone to see what other apps i am using. The Reddit user also says that TikTok app is created in such a way that it is very tough to reverse engineer the app for finding possible vulnerabilities and issues. Also the app behaviour changes if TikTok comes to know that you are trying to figure out what they(TikTok) are doing.
And lastly the user admits that he has never seen such an app like TikTok that collects huge amount of user data and trying to hide what they are doing with it.
OK, let us assume that these facts are not enough to say that TikTok is a spyware.
Penetrum, a Cyber-security firm recently published its whitepaper on the Security Analysis of TikTok. And only after reading that whitepaper, I made my decision to write this article so that i can educate my readers on how bad TikTok is and how the app has been using ‘us’ for its own gain.
Data Collection at its worst
The investigation/analysis done by Penetrum reveals that TikTok collects the IMEI number of an user’s phone including the SIM card provider information. Also the application has a separate section inside its code to enable tracking so that it can collect the GPS coordinates.
Below is a snapshot of the code present inside TikTok that depicts how it collects IMEI information.
Image Courtesy: Penetrum
The IMEI number that TikTok collects is used by a tracker named AppsFlyer which is used to determine what applications are installed on your smartphone and also whether an application is re-installed on your phone.
Collecting user’s IMEI details is really bad and it should not be used for advertising or marketing gains.
TikTok IPs are linked to China
The analysis from Penetrum also reveals that over 37% of the IP addresses used by TikTok are coming from China and it is hosted by Alibaba. Alibaba services has its own privacy policies in terms of data collection and security which is similar to other companies.
But the alarming factor is this.
In 2019 Alibaba suffered a massive data breach that affected its services and around 900GB of user data got exposed to cyber criminals. It is also alleged that during that time, Alibaba was co-operating with TikTok related to the cyber attack but TikTok did not reveal anything from their side.
Also the data breach from Alibaba revealed around 4.6 million user data entries that consisted of IMEI numbers, device details and models, SMS logs, stored app data, etc.
These sound similar to the ones that TikTok collects.
We are not sure whether TikTok was also breached during that time, but things don’t look clear and TikTok still uses IPs that are hosted by Alibaba.
Bad Security Practices
Penetrum also claims that TikTok was using an old cryptographic algorithms named MD5 which was depreciated since 2011 and it is known for its weak hashing algorithm and prone to vulnerabilities.
A snippet of it used in the TikTok code is below.
Image Courtesy: Penetrum
Also the usage of user defined variables in SQL queries within the app code, storage of API tokens and usage of insecure Web View that is enabled by default, makes the app more vulnerable to third party hacks and attacks.
There are also reports claiming that TikTok was using HTTP instead of HTTPS for its REST API services for various functionalities within the app. And only few months back, this was fixed by the company.
Snooping for user information
This is something that I came to know recently. Numerous reports emerged last month that TikTok was snooping on smartphones by illegally reading user’s clipboard details on their phones.
A new privacy feature in iOS 14 exposed this behavior of TikTok. Also Security researchers compiled a list of over 30 apps that access the clipboard when they’re launched. The most high-profile of those apps was TikTok.
TikTok was quick enough to respond this with a rubbish reply. It said that this behaviour of its app to read clipboards is an anti-spam feature and it will be removed in the next update.
But what kind of Anti-spam feature is this, that reads my phone’s clipboard ? Also why TikTok has to mention about this feature/behavior now after it is reported ?
All these questions still remain unanswered but one thing is clear for sure.
TikTok has been (is) doing things behind our back that are really concerning with respect to security and privacy.
I am still not able to digest the fact that TikTok collects too much of my information that i am not even aware of. By showing it as a social media platform with fun and entertainment, TikTok is acting as a data collection service.
I have always been vocal about “Your data is your right, and not someone else’s “. And i am voicing the same now.
No app should track and collect this much data like TikTok does.
To show you curated and personalized ads, tech companies do collect your information for this. But there is a limit for everything.
We cannot be used like puppets, just because we love something.
With the recent ban of TikTok in India due to security concerns, it is evident that the company is slowly started to fall apart. It is being estimated that the TikTok ban in India will cost its parent company ByteDance an estimated loss of around $ 6 billion.
That is all folks. Stop using TikTok if you really value your data and privacy.
I am repeating this again, when something is free in this digital world, then your data is the price you pay for it.
Details on the reports mentioned in this blog are below.
Penetrum research here.
Reddit thread here.
Follow our Facebook and Twitter page for more contents and news.