I don't doubt at all that TikTok is super shady, but
> I'm getting a lot of DM's asking me to prove the majority of this with a paper and snippets of the offending code. I have a decent amount of my notes on my other laptop that recently had a motherboard failure and the majority of that data is on the laptop's SSD. It's a macbook pro, so recovering the data isn't exactly super simple. I have some frida scripts that I pushed to my git server as well as some markdown files + conversation logs I've had with exploit devs, but not much else. In order to get everyone the proof they require, I'll likely need to reverse the app all over again which isn't something I have time for right now.
Could also be that they never expected this to blow up. If they were just doing it for fun, why bother taking backups? It seemed like when this first started making the rounds a few weeks ago, they were just talking about it in passing, but people kept asking questions and it became A Thing(tm)...but that may not have been the plan at the start.
especially after claiming "There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary."
I checked quickly tiktok apk, but couldn't find the relevant part.
Most possibly, he is mixing some bridging functions which are mapping functions or resources from dex files. (such as https://github.com/alibaba/ARouter, which I suspect tiktok uses)
such as:
@Route(path = "/test/activity")
public class YourActivity extend Activity {
...
}
My 2013 MacBook Pro Retina recently died too, but anything worth keeping or working on was stored in free-tier Dropbox, which has multi version history too.
And I'm just a dumb boiler-maker / welder.
It seems absurd to me that anyone with half a technical clue wouldn't use some kind of off-device / off-sit backup.
To be honest - I know I should - but I don't either.
Lots of people with technical clue's are also lazy as fuck about doing uninteresting work like setting up proper backups. Also somewhat paranoid about putting backups on other peoples infrastructure like dropbox (especially unencrypted).
Overconfidence. We somehow cling to this absurd notion that we're capable enough to perform an emergency recovery if necessary. Never mind that we've already experienced the difficulty of losing data one way or another, the delusion yet persists.
I just wish affordable tape drives never disappeared.
Can confirm. I have a server in my basement with 10TB+ of storage, sitting mostly empty, and I still don't have backups configured. Screwing with servers is fun and interesting, but configuring backups isn't.
I'm a software engineer, my work is done on work VMs, all my personal projects (coding and music) are done locally and not backed up. I occasionally copy my entire SSD over to a large HDD, but haven't done it for a couple of years.
It's entirely plausible.
You're a software engineer that doesn't use github or even bitbucket to store your personal project code? Not even a googledrive, dropbox, box.net sync services?
Setting up proper backups for my systems has been on my list for like 25 years at this point... A few months ago I found the backup I had set up hadn't run in 18 months (luckily, before it was needed).
Definitely get what you're saying, but knowing things unfortunately doesn't mean putting that knowledge into use.
I don't know if the guy whose dog ate his homework actually did the homework.
But I know that as a system administrator/security analyst I've had to push back HARD against some really stupid the things the development team wanted to do. And I'm sure the development team thought I was stupid for requiring things like auditable artifacts, limited permissions for developers, and daily backups. They wanted to push out code as quickly and easily as possible.
Knowing tech doesn't necessarily mean adhering to the platonic ideal of 'computer best practices.' This is actually the root cause of most security breaches.
...plus, the family pictures you had on your personal laptop are probably worth a lot more than a lot of the code out there that isn't being backed up. ;)
It's not that I don't want to be good at backing up my files, it's that the ADHD makes it very difficult. Thinking about backing up my files is so incredibly boring that I end up getting about 2% through it before I inevitably find something more stimulating to do.
Just order a pizza or a call-bride; you must have something else except a _single computer_ to do. Read a book; switch over to either of the other 16 computers and or screens; it's just a suggestion. Everyone needs backups; two copies are none; three copies are one. doesn't matter what 'diagnosis' you have; it's still the same truth.
I just don't understand this POV at all, I mean it's like two seconds of work with systems like crash plan and other automation tools. You keep everything in one master folder called /myprojects, then point the automated back up system at the directory and done. I have everything in there from blender projects, to code, to sheet music transcriptions.
I don't bother with backups of anything except a clean, freshly installed OS and my laptop immediately after purchase (I only bother with these mainly because Microsoft expired my MSDNAA keys, preventing reactivations when I was still in college, and I don't trust them not to do it again). Anything important is stored in cloud storage accounts, yes, but to me, mp3 rips of my CD music connection aren't important; neither are saved games, data from class assignments 10 years ago (I have printouts and final CD presentation), etc. If my computer died, I'd be out quite a bit of data I, personally, simply don't care about--including signing keys for several software repositories, multiple versions of compiled software used for creating delta updates, and other things that people other than myself might care about. I would have a ton of work to do to regain most of this data (ripping CDs, redownloading data, cloning and building software) but most of this data simply takes up too much space to keep backed up.
I will say this: box.net's webdav support is quite useful if you want cloud storage without a client like Dropbox, OneDrive, etc. I have having a background process constantly running just so I can keep up to date files that never change, and that I either don't need locally (backups) or are too large to want multiple copies of (CD images), or get locked/constantly modified (browser profile).
>My 2013 MacBook Pro Retina recently died too, but anything worth keeping or working on was stored in free-tier Dropbox, which has multi version history too.
Except Dropbox has stopped supporting encrypted linux filesystems, and Box doesn't support Linux.
>It seems absurd to me that anyone with half a technical clue wouldn't use some kind of off-device / off-sit backup.
For most technical people I know, having data on an unencrypted disk is unacceptable. They wouldn't accept a scenario where a thief steals their laptop and simply has access to all their files. They wouldn't accept that risk just because a convenient "backup" service suddenly stopped support. They'll simply back data up another way.
I don't know what the lay of the land is for Mac/Windows users.
As I say, these services are as useful as the services they replaced 15 years ago from my perspective.
>Since when is MacOS using encrypted linux filesystems?
I fail to see where in my comment was anything related to "MacOS using encrypted linux filesystems" which, as of itself as a sentence, is confusing.
My comment's parent was explaining that anything worth keeping was worth backing up, and how easy it was to set up back-up even for someone with the commenter's skill level, using services like Dropbox.
My comment was explaining that certain users who have encrypted filesystems on Linux cannot use Dropbox, for Dropbox stopped supporting them around November 2018, which makes Dropbox unusable for these users who have to come up with back-up schemes excluding Dropbox or Box.
You quote [..]My 2013 MacBook Pro Retina recently died[..] on which you answer something with Linux. The TikTok-Guy was using a Macbook too. So what relation have dead Macbooks with whatever state has dropbox under linux? Nobody here talked about linux except you. Your comment is just very random.
BTW Dropbox works fine under linux, just not in all setups.
Larry Wall said one of the virtues of a programmer was laziness, a really great lazy programmer would set up all the backups needed to make sure they would never have to do all the agonizing work if something went wrong, but just a middling virtuous programmer might be too lazy to set up all those failsafes especially if they were just doing a project for personal reasons, then if things go wrong they can just decide not to do the work needed to recoup things afterwards - because of laziness.
> anything worth keeping or working on was stored in free-tier Dropbox
That's great that you have 5GB (or less) of backup-worthy data.
For anyone else like you, that's the simple and happy solution that solves the problem well enough, and you're done.
What about if you have more than 5GB? What about if you have privacy concerns? What if your offsite backup is an offline backup and you can't access it due to a pandemic restricting access and travel?
All of the above impacted me and my ability to keep my backups going, and I've had to think about how to rebuild my backup strategy, as I've lost access to the remote site where my offline backup disks are stored.
Doing small backups is easy if you just want another copy somewhere else.
Doing bigger backups on a long term sustainable basis for large amounts of data with privacy requirements is less easy.
Anyway, you deserve a cookie for having done a backup at all. You're doing better than many.
I use a free dropbox for things I think are worth keeping too, but that doesn't include random code and explorations. Those usually go into a local folder and get upgraded to a git repo if appropriate.
Most of the stuff I produce is random garbage that isn't worth keeping. There's a good chance that this guy didn't think he had anything particularly interesting or worth keeping. Once you feel you understand how the app works, you don't really need the work you put into figuring it out anymore.
It's a smoking gun, and there's a lot of people that have the ability to replicate the "study" and present their findings. That's the scientific method; don't trust the findings? Do your own investigation.
It is not "smoking gun", it is not scientific, it is not even "study". This is more likely screaming "fire!" in theatre.
Also what you suggested is not symmetric, let me explain:
- There is a claim tiktok is downloading some zip file, extracting and executing.
making this claim is almost free, for me to claim otherwise, requires to reverse engineer all the app, then check 100s of possibilities to execute code in android app.
For example I took a quick look, and couldn't find anything related to this claim.
Also I checked reports from some "security" companies, there is nothing concrete there too. Mostly they talk about some SDK from appsflyer, which is used by a lot of apps, getting a lot of data, including IMSI etc (which is a US company btw)
But if you still ask me if it is running downloaded code, I cannot say 100% certain "no".
I believe claims should need proof, not the other way around.
Doesn't even matter if it's a lie or not. It's 2020, if you fail to back up your stuff and it gets deleted, then it never existed and you're a liar if you say it did.
The "private data" the app collected, is used, for most part, fingerprint the unique user.
In every MCN app, there was a huge fake user problem. If an app collect zero identifiable fingerprint, then a spammer can easily fake millions of views and manipulate ranked content. The app developers are asked think clever to collect every piece of info they can, while spammers spent night and days spoof every parameter in a virtual machine or even on a matrix of remote controlled real phones.
For example, if a iPhone 11 user logs in, but only with screen resolution of 320x240, is it legit? I have caught tens of thousands of fake users with simple checks like this. However the tricks expires pretty quickly, you have to move on with new feature checks, together with decision trees and bayesian networks.
Some of the fingerprint collecting SDKs are even using native code to check some ARM specific instructions to tell if the device is fake or not. The parameters check had to be done in every important API calls, or spammers can easily pretend be good citizen during parameter checking process and swap the session to a cheaper VM/phone or spam the targeted API with scripts.
Chinese companies all have their own team dealing with frauds or spamming on daily basis, the same way as everything can be faked in China.
Think cyber attacks from Chinese IPs are bad? Now imagine doing business in China and all users of your product are bots, what methods do you have to filter out the real human users? Good luck.
Many ads network SDKs are collecting user data in the same way. Otherwise it's easy to spoof fake clicks and page views.
I not stating if it's the right or wrong thing to do, I am just saying it's how things are done in current state of business.
"Other apps you have installed" is also extremely revealing about the user's interests and thus very valuable for ad serving. And equally privacy invasive. Think about pregnancy tracker or religious scripture apps. The OS should not expose this data within the sandbox of other apps by a different developer.
> "Other apps you have installed" is also extremely revealing about the user's interests
Yes, ads SDK across different apps can provide detailed aggregated information. Also apps promote each other, the "channel distribution" is huge business and relies on apps acknowledge each other.
I highly doubt many of the Tiktok reverse-engineering result may turn out to be some thirdparty ads or anti-fraud SDKs which Chinese companies use often.
Yes, the ads SDKs are another thing that are ripe for "disruption". And by disruption, I mean the DPAs fining and every app developer that uses any of them until the SDKs stop doing that.
I think it's best to try and eliminate prejudice as much as possible, but it is weird when it turns out that the reason your server is down is because the Taiwanese version is being attacked by Chinese IPs.
People deeply immersed in some technical niche or subculture tend to use acronymms and other jargon unconsciously.
That said, unexplained acronyms (I also wondered and found no likely definition in a DDG search) are an exceeding poor communication practice.
Any kind of system where you can translate http requests to money will have a problem with fake users. Might be click fraud for ads, sending spam to web forums, or liking YouTube videos to get the videos recommended.
For some of these operations, you can just work off of the content. Spam messages need to advertise something, so the text needs to look very different than for legit posts.
But something like an upvote or like? It's a single bit of information, you can't say if it's legit or fraudulent in isolation. So then you need to come up with additional signals to cluster on from wherever you can.
Some of it will be behavioural (these 10k users only liked these spammy videos), but a lot of it has to be environmental.
Posting blatant spam message got removed by NLP pipelines, spammers evolves to be more implicit, for example, the avatar of the user contains an image of crypto currency ad, then the spammer "liked" your video. You got a notification, and you noticed his/her avatar.
I can confidently say, having rubbed shoulders with the botting / gold farming / hacker community in China that it is HUGE. Like YYYUGE! back when the whole ride hailing industry was still in a subsidy war, you had drivers who were spoofing their rides to get kickbacks from didi/Uber. Pinduoduo suffered a pretty big loss a while back from not accounts scalping subsidies. I have friends in my wechat who used to share their huge walls of remotely controlled phones. So yes it is a huge problem in China. There is even a phrase for it, 撸羊毛
I worked on a social platform some years ago, when it the population was somewhat 'mature' after inital growth spike, then the majority of new signups were fake. "Cleaning up" fake accounts was a big part of the job for the customer service team, as well as automation tools to suppor that task.
If visibility on your platform is somewhat commercially relevant, then you will have lots of people pushing fake accounts for various goals. And if you ignore them, then the more technically competent ones will set up offers to sell access to fake accounts on your platform, so that they will be abused also by actors who don't have the ability to create thousands of fake accounts on their own.
Chinese can recycle real iPhone/Android devices at minimal cost. Anyone can rent a fleet of real devices, then RCE software can execute any kind of task you want on a real app on a real phone. So even Apple or Google provide some kind of unique id, e.g. iOS already have something like identifierForVendor, the spammers emulate a real user's app download, registration, login process, thus obtaining a real ID. So what can you do about the ID?
So the obvious solution is to check for more user information beyond a simple ID. Your IP, mac address, wifi router address, other process the OS is running, device parameters, etc. and privacy is f??ked in the process.
They have (had?) uniqueIds. But they don't solve the problem of identifying real users. You can simple fake them or take a real one from somewhere. Information-Density of a single value is far to thin to be a reliable indication on whether someone is a real human or just a script.
The worst part about this is that it does not require GDPR consent because it is genuinely necessary to store such client data (to detect fake accounts). Same as you don't need GDPR compliance to store someone's address in an online store just to deliver a package to them.
For any personal data collection, explicit consent from the user is required. An online store can only collect data necessary for the purpose of the service. So it has to ask for my explicit consent to legally collect personal data required to deliver a package like for example my name, address and phone number, but can't ask me about say, my marital status or religion.
Any ideas as to why Apple and Google aren't held accountable for providing trusted means of identifying users as human beings? They aren't banning TikTok because they know that there isn't malicious intent and that TikTok is doing the dirty, but necessary work.
There has been a lot of bash on TikTok recently. TikTok is by no means good, but I'm yet to see it proofed much worse than counterparts from Western companies.
A lot of videos and articles make me feels more like pure anti-China sentiments, just like many similar campaigns did to Huawei last year.
It's fine call out the risk in terms of personal privacy, or national security.
It's also fine to have and express anti-China sentiments, since everyone has his/her own opinions.
But it annoys me there are a lot of people charging with only assumptions, or play double standards just to make every Chinese business or Chinese person looks evil. It's just hypocritical.
I'm yet to see it proofed much worse than counterparts from Western companies
Telling people that TikTok is doing some shady stuff doesn't mean other companies are better. It's not a competition to see which company is good and which is bad. Every company that employs user tracking should be highlighted and asked to stop, and users should be informed about what the company is doing, no matter where the company is based.
If it could be proven that every social media app is covertly tracking users that would not mean TikTok is good. It would mean every social media app is bad.
But here, no proof was provided at all. It's just accusations. Whenever there's an article about privacy issues with Facebook, WhatsApp, Google etc. there's in most cases a real name attached to the findings, and in all cases detailed information on what is leaked, how it is leaked, snippets of reverse engineered code, etc.
In this case we have a random reddit shitposter calling himself an expert, making wild accusations.
It's not about "which company is better", it's about holding them up to the same standards.
I don't think they're off the mark with linking the reckless exuberance about this post to anti-China sentiment. Distrust and outright hostility has grown substantially over the past 18 months, particularly on reddit. It's a mix of anger at Hong Kong protests/crackdown, fears of espionage (particularly involving Huawei), and mistrust with COVID-19.
There was a huge shift in reddit's demeanor (and uses of "fuck China/fuck the CPC" etc) once the Hong Kong protests got going. COVID-19 (and its associated conspiracy theories) seems to be what brought that sentiment more mainstream.
Well in the latest iOS update it was found that they are copying all clipboard data on your device constantly (even in other apps), so that’s shady as fuck.
Any user with a password manager has probably disclosed that to them.
What I saw was people talking about how lots of apps check what type of content is on the clipboard in order to adjust what they show the user (e.g. if the user has a photo on their clipboard make it easy for them to attach it). At least at the time I saw the post about this there was no evidence TikTok was actually harvesting the copied data itself.
And what exactly would they want with arbitrary passwords anyway? Using them would basically destroy their business as soon as anyone figured it out, and selling them would not remotely be worth the risk.
Since it makes very little sense to check more than once after opening the app - other apps don't randomly put data into the clipboard in the background (I guess they could snag something from a Mac over Handoff but that already pops up an invasive system progress bar giving away the game) - I'm going for incompetence over malice.
Maybe not even incompetence. It could just be that some sort of periodic UI refresh triggered the clipboard lookup, because why bother caching clipboard data if you can just read it on the fly when updating your UI?
FWIW I discovered yesterday the Slack app is doing this too (at least if there’s images on the clipboard), as is the Kaiser Permanente app. TikTok is not remotely unique in this regard.
Western Companies are only aim to take your money, but they rarely cooperate with the state. China on other side is known to have tight control on their companies and doing all kind of shady stuff which goes far beyond anything that is allowed for western governments.
Bein critical toward something which potential aims for your soul is legit IMHO.
Here's what I don't get about this.. I've seen all these various claims, and to be frank I did uninstall tiktok just recently as I only enjoyed it for about a week or so then lost interest, and there's all this stuff coming up about it....
All these claims I see sound like EVERY SINGLE APP could be doing the same thing. Are both iOS/Android really that exposed that they can just get all of this info without explicitly asking for permission? If they are bypassing shit and recording your mic under the radar.. how the hell would apple/google be letting a billion user+ app be doing this?
Every single app could be doing the same thing. They ask for pretty broad permissions for purportedly innocent reasons but once given that access they can use it for anything they choose. This happens because even tech educated people (as you'd expect on HN) insist that they want to sacrifice privacy if it brings functionality [0]. A regular user is probably completely unaware that this could even be a problem. From their perspective they're just getting cool features for free.
So, TikTok on my (Android) phone has a grand total of zero permissions. And even if it is able to download and run some code, isn't it running in a sandbox? I don't really understand the panic here...
While the app might not be able to harm your phone, your grandma or daughter might not be as tech savvy and grant permissions more freely. Also, even though sandboxed, if you can download and run u known code on the devices of billions of users, you have a very large phone-botnet at your disposal of you ever need it
Even if it wasn't your intention, it sounds like you're implying tech savvyness is exclusive to men...please try to be inclusive, this industry needs it so much.
surprised people are so willing to accept these claims without proof, especially here, where I imagine the number of people who could actually do the work this person claimed to is disproportionately high
So is the primary concern about the lengths TikTok goes to scrape user data? Or more-so that it's a Chinese company scraping user data?
I'd assume apps like fb/twitter/snapchat/etc scrape just as much. And since the US gov basically forces them to install backdoors, isn't that worse than this whole TikTok privacy conversation? Maybe I'm missing something though.
> I'd assume apps like fb/twitter/snapchat/etc scrape just as much.
The author claims otherwise:
“For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare.”
I said this before on the previous thread. Without knowing the author's background, you can't trust his claim. Either he provides reproducible evidence or has something backing up his claims.
>> I have a decent amount of my notes on my other laptop that recently had a motherboard failure and the majority of that data is on the laptop's SSD. It's a macbook pro, so recovering the data isn't exactly super simple.
Isn't it an excellent sample of "the cat ate my code" excuse?
From a legal perspective, it seems that Tiktok is mostly (but not completely) covered. They mention these activities in their privacy statement. The statement is not clear enough on what each individual activity is used for: they put a lot of activities under an umbrella reason such as "providing tech support" and "collection for analytics partners".
It doesn't make their activities right, of course. But it's debatable whether legally speaking, they are in violation of privacy laws.
I think they have a higher chance of violating EU privacy laws than US ones. GDPR is quite strict: you need to have a good reason for doing something, not merely mentioning that you'll do something.
I think it's also interesting to know that Tiktok's servers are in Singapore.
Not surprised at all, Tik Tok has clear ties to china and with all things china comes the governments control. chances are china was using Tik Tok as a global surveillance tool.
FISA courts at least require a judge to sign off and that judge often doesn’t give a shit about the exec branch. There are no balances in the CCP. They just inform the party representative at the company (all big companies have them) that X or Y needs to happen and it does or else the company gets shut down.
Well, FISC judges typically operate individually and deal in non-public hearings without giving opposing views a chance to be heard, with no oversight or anything.
Judges to the FISC are appointed by the Chief Justice without any further oversight and the Chief Justice is politically appointed as well. (A democratic process for nominating judges isn't easy,. but vesting the power into a single hand is questionable)
Also the low number of modified or rejected warrants is suspicious (the positive interpretation might be that warrants are well prepared and thus qualify)
For me as an foreigner to both cases, both approaches are problematic and I have no democratic influence over either process. And yeah, I trust US more to be aligned with my interests, but neither is a happy thing for me.
Valid point, but I prefer a democratic govt spying on me then a totalitarian govt with world conquer ambitions, and a history of suppressing minorities
Americans do the American Exceptionalism Poe's Law thing nonstop and I alternate between exhaustion and a sense of humor about it.
I mean, "a history of suppressing minorities" in the summer of 2020 is very funny. It does feel like Gen Z kids are aware of global events enough to not fall for this, so maybe it is ending.
The U.S. certainly invaded more countries and occupied more area than China. While mostly with support from larger number of countries (often incl. UN Security Council)
Patently false, the USA does not have conquer ambitions, all of its actions can be traced back to self defense from the beginning of WW2 to today.
China on the other hand, screams everyday how it wants to own taiwan. Aggressively threatens any country who dares to touch the south china seas, which it does not own.
But just to play devils advocate: It is highly likely that China have spies in Google and Facebook and probably USA have spies in Tik Tok and other big Chinese companies so both China and USA no matter what sw you use already know everything about you.
My best argument would be: We can't allow that authoritarian country become tech superior because that will make China economically stronger than USA and than politically which will result in destruction of democracies around world.
This is the 1950s though, infrastructure like Google's is surely to have logs and security teams. Unless they physically shove a USB into a production server and rip content. I'm pretty confident you could secure a data center, the only other way is to install sketchy processing chipsets that phone home or something.
You're probably right, they might have some sketchy way, but if you really wanted to see who is doing what with your data from within your data center you could really set controls to do so.
Out of all the differences between the US and China you chose to talk about imperialism and racism, some of the few things both have in common. Interesting.
Well, prism was about secretly added prisms on fiber cables, so yes you won't know.
Yes, your boss is not allowed to talk to you about national security letters, unless your specific involvement is needed.
I as an outsider can't tell and have to trust. For that I have to evaluate how important your site as a target for such measures is, how likely I am the target and how likely my data is just close to a Target's data and how much of it will be in a full data grab for later usage.
This guy's comment (prosound2000) pretty much tells it like it is:
> The problem here is Facebook, Instagram and Twitter are US based companies that are beholden to the government. While sure you have lobbying going on, they are ultimately separate from the government, and if are found in violation of certain laws will be prosecuted or at least brought in front of congress and can face stiff penalties in the US.
TikTok IS the Chinese government. They are beholden to no one. They can't break the law since they are the law.
Well, he almost has it figured out. We are all actually beholden to our governments. Even Apple allegedly held off on iCloud encryption because of FBI pressure, not to mention constant right-wing efforts to destroy encryption and force companies to insert backdoors. China has a stronger central authority (therefore easier to force companies to do things), but the US is itching to go that route as well. Fighting it means preserving an actual ideological backbone, rather than simply consolidate all power to destroy our enemies.
If we lose our sights on encryption, separation of our corporate entities from our government, then we are just China but in a different location.
4 days ago: https://news.ycombinator.com/item?id=23638129