Tell HN: Chinese TikTok is the most privacy invasive app I've ever seen
- It immidiately attempts to access the clipboard contents after opening
- It makes 140 DNS requests to atleast 5 different domains in the first three minutes after closing the app
- it makes an additional 50 DNS requests 5 minutes after closing the app
- it continuously makes tracking requests in the background after being closed
- It requests phone and location permissions immidiately after opening
Some of the domains it contacts after being closed:
- pstatp.com - zijieapi.com - bytecdn.cn - snssdk.com - amemv.com - douyincdn.com
This is honestly even crazier than I expected. I've never seen an app contact this many subdomains even while being in the foreground. Instagram contacts around 5 for comparison, and only while running in the foreground.
35 comments
[ 3.8 ms ] story [ 80.0 ms ] threadI set up a permanent VPN killswitch while testing, set up NextDNS as private DNS provider in the system settings and changed the NextDNS settings to log all contacted domains. You can then view the DNS requests in real time
As for the clipboard, newer Android versions give you a toast when something uses the clipboard API to fetch its content
I remember trying to disassemble a facebook APK years ago and that was way too involved even then (because of countermeasures).
Perhaps using frida on android is a saner approach these days.
https://citizenlab.ca/2021/03/tiktok-vs-douyin-security-priv...
[edit]: Awesome to see that they publish their reports on github and even include frida components https://github.com/citizenlab/tiktok-report-data
To me many DNS request sounds like a broken / poorly designed app. Do you block the requests - is that reason for the large number?
Even disregarding this fact, Douyin has 700 million annual users and this issue does not exist with Tiktok which uses the same codebase. You are telling me this is not intentional but an accident? With a company as large and skilled as Bytedance?
It could just do one request sending the tracking information and the receiver could pass that on as needed.
I don't think you can deduce what you deduce from the number of DNS requests it does.
But only some of them are controlled by totalitarian regimes, of course.
China has become much more oppressive internally. And if you don't care about human rights for the Chinese population, then maybe you care about the fact that the Xi regime asserts eventual control over foreign reporting [1]:
“48-character policy” (48字方针), an all-dimensional vision of comprehensive control across media platforms and bridging the domestic/international frames, articulated through 12 four-character phrases. ... Party domination of the message as reflected in both domestic and international public opinion"
[1] https://chinamediaproject.org/2022/05/03/developing-online-m...
Who do you trust? Out of both countries, I worry more about that which is less transparent and has less democratic institutions and less commitment to human rights. Though I worry about both, of course.
When I use the TikTok website in France, from desktop, I notice my Ublock Origin blocks 30 to 40 requests per minute, this doesn't happen with any other socials. Therefore, I didn't dare installing the app on my tablet!
This happens regularly with Discord.
This is only weak evidence of privacy breach, and strong evidence of sloppy programming. Domain names are things like "api", "sdk", "cdn".
- Analyzing TikTok from a Digital Forensics Perspective : (Published in 2021 by some Portuguese researchers: https://iconline.ipleiria.pt/bitstream/10400.8/6263/1/jowua-...
- Post-mortem digital forensic artifacts of TikTok Android App : (Published in 2020 at ARES 2020: The 15th International Conference on Availability, Reliability and Security ; authors are a lot of the authors from the Analyzing TikTok paper in the previous link): https://www.researchgate.net/publication/343856173_Post-mort...