Tell HN: Chinese TikTok is the most privacy invasive app I've ever seen

46 points by schleck8 ↗ HN
This is about the Chinese version of Tiktok, Douyin. It's basically the same but exclusive to Mainland China. To summarize:

- It immidiately attempts to access the clipboard contents after opening

- It makes 140 DNS requests to atleast 5 different domains in the first three minutes after closing the app

- it makes an additional 50 DNS requests 5 minutes after closing the app

- it continuously makes tracking requests in the background after being closed

- It requests phone and location permissions immidiately after opening

Some of the domains it contacts after being closed:

- pstatp.com - zijieapi.com - bytecdn.cn - snssdk.com - amemv.com - douyincdn.com

This is honestly even crazier than I expected. I've never seen an app contact this many subdomains even while being in the foreground. Instagram contacts around 5 for comparison, and only while running in the foreground.

35 comments

[ 3.8 ms ] story [ 80.0 ms ] thread
Very interesting. How did you measure this? On-device or on the wire or with MITM?
Pretty simple with DNS logging. I installed the APK (it's not georestricted, you can just install it on Android).

I set up a permanent VPN killswitch while testing, set up NextDNS as private DNS provider in the system settings and changed the NextDNS settings to log all contacted domains. You can then view the DNS requests in real time

As for the clipboard, newer Android versions give you a toast when something uses the clipboard API to fetch its content

I think there's an evident need for someone to do a deep analysis of this app's behavior. Both with interception/MITM and possibly disassembly if that's even possible ATM.

I remember trying to disassemble a facebook APK years ago and that was way too involved even then (because of countermeasures).

Perhaps using frida on android is a saner approach these days.

Why do you interpretate a DNS request as a "privacy invasion"?

To me many DNS request sounds like a broken / poorly designed app. Do you block the requests - is that reason for the large number?

Because some of the domains mixed into the bunch, which were contacted independently from the CDN at times, are known tracking domains.

Even disregarding this fact, Douyin has 700 million annual users and this issue does not exist with Tiktok which uses the same codebase. You are telling me this is not intentional but an accident? With a company as large and skilled as Bytedance?

It is an app not constrained by browser same origin rules.

It could just do one request sending the tracking information and the receiver could pass that on as needed.

I don't think you can deduce what you deduce from the number of DNS requests it does.

It's rather about the fact that this is happening minutes after closing the app than the number, I do agree with you on the latter
The domains in question are very clearly analytics collectors disguised as cdns
What does TikTok do that Instagram doesn't? TikTok is a privacy nightmare, but not more so than any other social network.
Yeah, many platforms converge to similar methods.

But only some of them are controlled by totalitarian regimes, of course.

Although I can relate to the sentiment, and the history of US interventions is not one that's seen favorable today, I think that you are underestimating Xi's position right now.

China has become much more oppressive internally. And if you don't care about human rights for the Chinese population, then maybe you care about the fact that the Xi regime asserts eventual control over foreign reporting [1]:

“48-character policy” (48字方针), an all-dimensional vision of comprehensive control across media platforms and bridging the domestic/international frames, articulated through 12 four-character phrases. ... Party domination of the message as reflected in both domestic and international public opinion"

[1] https://chinamediaproject.org/2022/05/03/developing-online-m...

I agree, the regime in China is nothing good. But we live in an imperfect world and they clearly are the "lesser of the many evils" our there. Just one concrete example: China didn't wage wars for 20+ years in the Middle East, resulting in millions of desperate refugees showing up on our doorstep.
Again, it's a question of perspective. Mao killed dozens of millions of people and strongly supported the Khmer Rouge, which in turn were responsible for some of the worst atrocities of the 20th century. Xi seems to be performing a turn back towards authoritarianism.

Who do you trust? Out of both countries, I worry more about that which is less transparent and has less democratic institutions and less commitment to human rights. Though I worry about both, of course.

Those transparent democratic institutions didn't stop 20+ years of war in the Middle East.
This neither addresses my point nor is it relevant to the comparison.
It is relevant. Your point: "US is less scary/harmful than China, because it's a democracy". My response: "The fact that US is a democracy doesn't change anything if you are not a citizen of that democracy. Also being a democracy didn't prevent US from committing mass-murder in the Middle East".
Vietnam begs to differ. NK is a made up vassal state in the korea war. Tension almost broke out in war with USSR. India is object of continous skirmishes (sino-indian war, 1962). Japan was too strong to combact, but not to antagonize (in the public discourse), SK is a protectorate.
I have done the same with Instagram and there is no background network activity.
I don't use any Facebook services, but when a friend visits my place I see background network activiy in my PiHole from all Facebook-owned apps.
Did you to examine what is trigggering it? Is because of a shared IP-address or a shared physical location?
Not really. It's just that tons of Facebook/Instagram domains show up in the PiHole admin page.
How is this suprising? China's brand of authoritarianism (Marxism–Leninism) is based on control. The Chinese people recognize this as not just a legitimate, but effective way of doing things. They value predictability above all.
I agree on the efficiancy part but how is it legitimate? It's not legitimized by anyone but the oligarchy, normal people have zero influence on anything political.
Thanks, this is very interesting!

When I use the TikTok website in France, from desktop, I notice my Ublock Origin blocks 30 to 40 requests per minute, this doesn't happen with any other socials. Therefore, I didn't dare installing the app on my tablet!

Take a look at how many things uBlock blocks when you open Slack on your browser.
> this doesn't happen with any other socials

This happens regularly with Discord.

Why does it matter if it's 200 subdomains, or just one packet with all the relevant info sent on the same connection that's downloading the videos?

This is only weak evidence of privacy breach, and strong evidence of sloppy programming. Domain names are things like "api", "sdk", "cdn".

Bugs are just security issues.
You're describing "nice to have"s. The real invasion happens in the data center, away from what's measurable on the/any client.
For folks who have already read the (great) CitizenLab report but would like more research-based literature into TikTok and/or Douyin:

- Analyzing TikTok from a Digital Forensics Perspective : (Published in 2021 by some Portuguese researchers: https://iconline.ipleiria.pt/bitstream/10400.8/6263/1/jowua-...

- Post-mortem digital forensic artifacts of TikTok Android App : (Published in 2020 at ARES 2020: The 15th International Conference on Availability, Reliability and Security ; authors are a lot of the authors from the Analyzing TikTok paper in the previous link): https://www.researchgate.net/publication/343856173_Post-mort...