That white paper is scare-mongering garbage, and I don't say that lightly. Some of the horrible things TikTok is supposedly doing:
* Using Java reflection (which almost everyone does)
* Webview (many of your apps are just thin webview wrappers)
* Log device information (uh, logging things like the OS version for diagnostics and metrics is perfectly normal)
The paper uses the word "monitoring" appearing in a debug message as evidence that the app is built to spy on users. Here's the log message that they want to claim proves TikTok evil-doing:
AFlogger.afInfoLog("Turning on monitoring")
Uh, the word "monitoring" has plenty of perfectly innocuous uses, e.g., monitoring memory use. If this thing really were trying to monitor user behavior in some sneaky way for the CCP, why the hell would they log about it, in English?
In another section of scare-longering, these "researchers" try to cast asperations on the app calling the Java equivalent of system(3) to run a subprocess. Uh, so what? That's also a fairly common thing to do on Android --- people use it to, e.g., run logcat for diagnostics (logcat filters the logs to only ones from the running UID, so there's no privacy leak).
In yet another section of scare-mongering, the document suggests that TikTok's use of MD5 is some kind of deliberate back-door. No, it's probably just like every other use of MD5 these days: some junior developer who hasn't kept up on the recent MD5 attacks.
Yes, TikTok ignores TLS errors. That's just shitty programming. But like the MD5 thing, I'm going to chalk it up to just shitty coding, not some kind of deliberate spyware backdoor. This code would certainly not pass my code review. But I see no evidence of malice. These are errors that junior developers make everywhere.
There's also a SQL injection. The researchers haven't shown that the inputs to the SQL query are unsanitized, and even so, injecting SQL from a UI text book to the local SQLite database is no big deal. The user owns the device! It's certainly not evidence of some kind of nefarious backdoor.
On top of all of that, the app is sandboxed, like every other Android app. Even if there were some ultra-mega remote code execution facility wired directly to Xi Jinping's desk, there'd be minimal risk, because the app couldn't look at the rest of the system! This whole analysis is aggressively, painfully, and conspicuously stupid. All this article tells me is 1) TikTok's software engineering team is too junior, and 2) people really, really, really want to believe that the app is evil.
This execrable article is one of the worst security reviews that I have ever read, and I've read a lot of them. It makes me yearn for the days of Colin Powell bullshitting the UN about Iraqi yellowcake. At least Powell didn't make 6th grade writing and logic errors.
* Using Java reflection (which almost everyone does)
* Webview (many of your apps are just thin webview wrappers)
* Log device information (uh, logging things like the OS version for diagnostics and metrics is perfectly normal)
The paper uses the word "monitoring" appearing in a debug message as evidence that the app is built to spy on users. Here's the log message that they want to claim proves TikTok evil-doing:
Uh, the word "monitoring" has plenty of perfectly innocuous uses, e.g., monitoring memory use. If this thing really were trying to monitor user behavior in some sneaky way for the CCP, why the hell would they log about it, in English?In another section of scare-longering, these "researchers" try to cast asperations on the app calling the Java equivalent of system(3) to run a subprocess. Uh, so what? That's also a fairly common thing to do on Android --- people use it to, e.g., run logcat for diagnostics (logcat filters the logs to only ones from the running UID, so there's no privacy leak).
In yet another section of scare-mongering, the document suggests that TikTok's use of MD5 is some kind of deliberate back-door. No, it's probably just like every other use of MD5 these days: some junior developer who hasn't kept up on the recent MD5 attacks.
Yes, TikTok ignores TLS errors. That's just shitty programming. But like the MD5 thing, I'm going to chalk it up to just shitty coding, not some kind of deliberate spyware backdoor. This code would certainly not pass my code review. But I see no evidence of malice. These are errors that junior developers make everywhere.
There's also a SQL injection. The researchers haven't shown that the inputs to the SQL query are unsanitized, and even so, injecting SQL from a UI text book to the local SQLite database is no big deal. The user owns the device! It's certainly not evidence of some kind of nefarious backdoor.
On top of all of that, the app is sandboxed, like every other Android app. Even if there were some ultra-mega remote code execution facility wired directly to Xi Jinping's desk, there'd be minimal risk, because the app couldn't look at the rest of the system! This whole analysis is aggressively, painfully, and conspicuously stupid. All this article tells me is 1) TikTok's software engineering team is too junior, and 2) people really, really, really want to believe that the app is evil.
This execrable article is one of the worst security reviews that I have ever read, and I've read a lot of them. It makes me yearn for the days of Colin Powell bullshitting the UN about Iraqi yellowcake. At least Powell didn't make 6th grade writing and logic errors.
This is "so if she weighs the same as a duck...she must be a witch!" level of analysis. https://www.youtube.com/watch?v=z5iMhHCGuOI