The popular Beijing-based app has ”carte blanche“ in gathering users’ data, cypersecurity experts say
TikTok can circumvent security protections on Apple and Google app stores and uses device tracking that gives TikTok’s Beijing-based parent company ByteDance full access to user data, according to the summaries of two major studies obtained by TheWrap that appear to confirm longstanding concerns raised by privacy experts about the popular video-sharing app.
The studies, conducted by “white hat” cybersecurity experts that hack for the public good, were completed in November 2020 and January 2021. TheWrap was unable to verify the original studies, but reviewed the conclusions and confirmed them with five independent experts.
You've reached your article limit.
Unlock premium content with a subscription.
Click Here Already a subscriber? LoginWhen asked by TheWrap, reps for TikTok — whose parent company ByteDance has had ties to the Chinese government — declined to confirm or deny the validity of the research.
The summaries of the studies, shared exclusively with TheWrap, suggest that TikTok is able to avoid code audits on the Apple and Google app stores. More alarmingly, the research found that TikTok is capable of changing the app’s behavior as it pleases without users’ knowledge and utilizes device tracking that essentially gives the company and third parties an all-access pass to user data. This is highly unusual and exceeds the abilities of U.S.-based apps such as Facebook, Twitter and other social media platforms.
“These dynamic properties allow TikTok carte blanche access to your device within the scope of what the application can see,” said Frank Lockerman, cyber threat engineer at cybersecurity firm Conquest Cyber who reviewed the two “white hat” studies. “The TikTok browser not only has access to convert from web to device, but it also has the ability to query things on the device itself.”
While TikTok contends that its methods are standard, especially for social media apps relying on ads, both the researchers and independent experts say that the app’s code makes it much harder to monitor. “Consequentially, just because the application doesn’t do anything bad today, doesn’t mean that it won’t do bad things in the future,” one study said.
After reviewing the studies’ findings, Russ Jowell, mobile development expert at BestApp.com, said that it is difficult to know the full extent of TikTok’s data mining capabilities and intent. But overall, he said: “It seems to me that ByteDance has gone to monumental lengths — possibly more than Facebook, Twitter and other social networks — to conceal the inner workings of their app.”
A spokesperson for TikTok declined to address the studies directly, but told TheWrap that the company adheres to app store policies, adding that its product meets information security standards in the U.S., the U.K., Ireland, India and Singapore and recently received certification by the ioXt Alliance for meeting standards and commitments to cybersecurity and transparency. In fact, TikTok said it works with the ethical hacker community and researchers through a program called HackerOne to test its product.
“The security and privacy of our global community is always a top priority,” the company said in a statement provided to TheWrap. “Staying ahead of next-generation cyberthreats requires continuously strengthening the security of our platform, which is why we continually work to validate our security standards and collaborate with industry-leading experts to test our defenses.”
Nonetheless, some countries have made their own decisions regarding TikTok. The app itself is not available in China, and India banned it in 2020 over national security concerns.
After former president Donald Trump attempted to ban the Chinese-owned app as part of his executive order in 2020, the Biden administration last June dropped the outright ban but is now considering new regulations that would affect foreign-owned services, namely TikTok. The proposed rules from the Department of Commerce would add criteria for Commerce Secretary Gina Raimondo to consider when reviewing software that pose an “undue or unacceptable risk.”
In a short time, TikTok’s popularity seems unstoppable, more than doubling U.S. users between 2019 and 2021, to 78.7 million. The social video app is gaining at speeds that threaten the growth of 18-year-old Facebook and its younger platform Instagram — both of which are losing the fight over younger users. Last September, TikTok hit a milestone of 1 billion monthly users and is on track to gain more Gen Z users than Instagram and more total users than Snap by 2023, according to eMarketer estimates.
Despite growing interest in regulating the company, TikTok remains a major platform for creators and companies to penetrate the millennial and Gen Z markets. Plus, the app is starting to attract more older users even as it explores making the leap to TV screens. In March 2021, the platform’s reach among users aged 35 to 44 doubled to around 18% when compared to the previous year, according to Comscore. Those aged 45 to 54 accounted for 14.6% of total unique visitors during that period, and those 65 and over accounted for 3.5%, tripled from 2020.
Representatives for Apple and Google didn’t respond to TheWrap’s requests for comment.
Under the hood
In examining TikTok’s source code in 2020 and 2021, the two studies examined how the app collects data on contacts, device ID and clipboard actions and conceals data being sent to and from TikTok’s servers. TheWrap was not able to obtain the full text of the two studies, but spoke to five independent experts who reviewed the results.
The studies show TikTok uses device IDs — numbers and letters identifying individual devices — for ad integration, which means advertisers can end up tracking people over time across devices and installs. “Once one advertiser has a device ID that’s correlated, all privacy is gone,” one report noted.
Referring TheWrap to its FAQ page, a TikTok rep said: “The TikTok app is not unique in the amount of information it collects, compared to other mobile apps. In line with industry standards, we collect information that users choose to provide to us in order to improve the experience people have on our app. Also like our peers, we constantly update our app to keep up with evolving security challenges.”
Examining the backend, researchers also found that the app essentially acts like a web browser. It uses a JavaScript bridge, the programming language for the web, to directly pull the app from TikTok’s servers when it’s launched. This makes the security of the app hard to assess, because that can keep changing, according to Lockerman at Conquest Cyber. Theoretically, it also means TikTok can change its app behavior dynamically or test certain things on the fly without pushing an update to users.
“This has great significance to the security of the app, because the state of it cannot be determined by static analysis of the app alone,” Lockerman said.
Because the code uses many native libraries, it can “thwart Google Store code analysis using these libraries,” Lockerman explained. This makes the app harder to reverse engineer, as the code doesn’t rely on system libraries already made available to developers. In coding, libraries are sets of code used for specific tasks. And by effectively running as a web app, the app is capable of circumventing Apple and Google code audits, the research said.
TikTok maintained that its app is not a web browser that can be rewritten constantly and restated that it follows Google and Apple store policies. The company said the app does operate by pulling server data, such as the latest configuration settings, but that this is standard practice to ensure its performance.
Apple and Google’s app stores are known to be very strict in implementing measures to protect users from illegal activity, fake apps and other potential dangers. Countless apps have been banned for disguising themselves as tools, such as photo filters or camera scanners, with the intent of scamming users and going after their money and personal information. The Android app store, for example, enforces guidelines on app permissions, user experience and overall accessibility to maintain high-quality apps.
On the Apple app, the studies indicated TikTok made its own version of a video player presumably to ensure the code runs properly — but Lockerman said it’s also likely used to hide things. Additionally, the app relies on a “prefetch system” to load up multiple videos simultaneously in the background while the user is watching. This improves speed, which is in large part what makes TikTok so successful at getting users hooked. By tracking how long users linger on content or which videos they rewatch, TikTok’s algorithm can “learn” people’s interests and drive engagement much faster than its rivals.
TikTok explained only that it created its own video player to optimize performance for users.
It’s also worth noting that studies investigating the source code of apps is an analysis based on that point in time. Apps are updated often and corrected through patching.
So is TikTok safe to use?
In terms of personal safety of TikTok users, the concern is less about vulnerabilities that researchers found on the app than what TikTok is doing with all this information it gathers, Jeff Engle, president of Conquest Cyber, told TheWrap. The potential dangers, as is the case with all apps tracking user activity, is the risk of threats from external actors and the compromising of user data.
“As with any social media, if you are not paying, then you are likely the product,” Engle said. “The data you give, which almost always is more than users realize, can be hijacked, but that is an individual risk analysis on a user-by-user basis. The collection, control of distribution and manipulation of any social media makes it a powerful weapon.”
However, experts note that TikTok’s data mining may be no worse than that of major social networks like Facebook — the difference is in what TikTok then does with the data. A study in January by mobile marketing company URL Genius comparing 10 social apps suggested TikTok was the top app collecting user data, such as IP address, location and search history, to share with third parties that can continue tracking across other sites even after you close the app.
TikTok is actually the international version of social app Douyin, which was released in China in 2016. A year later, parent company ByteDance launched TikTok outside China after merging it with another of its apps, Musical.ly. In fact, TikTok’s former employees have raised concerns over the control of its parent company and its ability to access American user data.
While Facebook users voluntarily fill out personal information on their pages, from their education to where they live, TikTok’s data collection is less obvious to the everyday user — the app records how long you stay on a video, who you engage with and what topics and content you rewatch the most.
Acknowledging TikTok’s rising influence, Jowell said it’s unlikely these privacy concerns will cause people to delete the app altogether. But from a security standpoint, his advice is to avoid posting content that contains any personally-identifiable information and to change the settings and outfits you use in your posts. “Always remember, hitting that send or upload button is akin to your kids leaving the house when they are grown,” Jowell said. “Once you do it, you no longer have full control of that piece of content.”
Editors note: This story has been updated to reflect that TheWrap did not obtain the original studies, but was given the conclusions to the two studies and submitted those to five independent experts. TheWrap regrets any lack of clarity.
Antoinette Siu
Media and Tech Reporter • antoinette.siu@thewrap.com • Twitter: @antoinettesiu