July 18, 2022
Viral video-app TikTok collects “excessive” amounts of data, according to new analysis of its source code, raising alarm about the volume of information and its security following an admission that staff in China can access the data of millions of Australian users.
TikTok checks device location at least once an hour, continuously requests access to contacts even if the user originally denies, maps a device’s running apps and all installed apps, and more, according to a white paper by Canberra-based cybersecurity and intelligence firm Internet 2.0.
“The TikTok mobile application has been built with a culture that does not place privacy as a principle as most of the permissions and device information being collected are above necessary for the application to function,” the report said.
Internet 2.0 analysed source code of TikTok on Android statically and dynamically. On iOS it only performed static analysis due to limitations making it hard to study. Dynamic analysis tests and evaluates as the app is running, while static analysis tests and examines the code without running the app.
The firm’s analysis said the iOS version “had a server connection to mainland China.” It did this by studying data flow.
TikTok rejected the assertion when provided with the IP address: “The IP address is in Singapore, the network traffic does not leave the region, and it is categorically untrue to imply there is communication with China. The researcher’s conclusions reveal fundamental misunderstandings of how mobile apps work, and by their own admission, they do not have the correct testing environment to confirm their baseless claims.”
However, Internet 2.0 responded and said that while TikTok was specific that user data was stored in Singapore and the US, its analysis found many subdomains in the iOS app resolving all around the world including: Sydney, Adelaide and Melbourne, New York City, Las Vegas, San Francisco, San Jose, Monrovia, Cambridge, Kansas City, Dallas and Mountain View in the US, Utama and Jakarta in Indonesia, Kuala Lumpur in Malaysia, Paris, Singapore and Baishan in China.
“During analysis we could not determine with high confidence the purpose for the connection or where user data is stored. The China server connection is run by Guizhou Baishan Cloud Technology, a cloud and cybersecurity company. The subdomain connected to the China server connection resolved in multiple locations around the world including in China,” Internet 2.0 said.
“The IP address resolving to locations records in China regularly changed, however, connectivity to Guizhou was visible across a number different IP addresses. This was confirmed through the use of a number of security products and methods, including virus total, Metasploit, security trails and sandboxing.”
Internet 2.0 said they did not find any direct server connections with mainland China in the Android app.
On Android, TikTok collects all other running and installed applications on the phone, which Internet 2.0 said “is an unnecessary function. Theoretically, this information can provide a realistic diagram of your phone.”
The analysis also found TikTok queries Android device GPS location at least once an hour and found that TikTok requests access to user contacts. If the user denies the request, Internet 2.0 said the user is continuously asked on a loop until access is granted.
“It is normal for an application to initially request access to contacts but TikTok’s persistent, endless harassment for user contacts access is abnormal. It reflects a culture that does not prioritise privacy or a user’s preferences for privacy,” the report said.
Internet 2.0 labelled TikTok’s access to a device’s calendar excessive because it had persistent access to read and modify when it only used the calendar for special circumstances like a live event.
It also requests access to external storage: “This is a standard command for a social media application to store video and images. The aspect we list as excessive is TikTok doesn’t just retrieve the ability to see folders, it retrieves a list of everything available in the external storage folder,” Internet 2.0 wrote.
TikTok said in response: “The TikTok app is not unique in the amount of information it collects, which is less than many popular mobile apps. In line with industry practices, we collect information that users choose to provide to us and information that helps the app function, operate securely, and improve the user experience.
“Also like our peers, we constantly update our app to keep up with evolving security challenges and encourage our users to download the most current version of TikTok.”
The analysis, which has been circulated among Australian and US lawmakers in the past week, will spark tough questions as TikTok faces scrutiny following its admission to US Republican senators that China-based employees can access US user data. Over the weekend, TikTok announced its global head of security, Roland Cloutier, is stepping down effective September 2 and moving into an advisory role, as the company faces intensified scrutiny in the US.
Social media apps, in general, collect huge amounts of data, much deemed unnecessary by many privacy experts, largely to profit from driving further engagement and selling targeted ads. For example, Facebook Messenger was signalled out by OpenDemocracy for its excessive data collection, which included name, email, location, user ID, iMessage, photos and videos, health and fitness, and more.
However, the admission that Australian user data can be accessed by employees in mainland China has raised concerns by politicians and security experts about the safety of that information due to reports and research on the links between ByteDance, TikTok’s parent company, and the Chinese Communist Party, and the spreading of propaganda and censorship.
“TikTok user data is stored in Singapore and the US, and we have been clear and vocal about employing access controls like encryption and security monitoring to secure user data, with the access approval process overseen by our US-based security team,” TikTok said.
”We continually encourage legitimate researchers to help validate our security standards, including industry-leading experts through reputable programs like HackerOne to help us test our defences.“
China’s National Intelligence Law of 2017 requires organisations and citizens to “support, assist and co-operate with the state intelligence work”.
Even though TikTok’s Australian executives stress that it had never provided, nor had been asked for and would never provide Australian user data to China, even if asked, governments around the world are also concerned that this legislation means an employee who has access to user data could be compelled to provide it to Chinese authorities without the company being aware.
“It was already worrying enough to recently learn user data is being accessed in mainland China. It is frankly alarming to discover exactly what data is being collected from TikTok users, and how much of it is unnecessary,” Liberal Senator James Paterson said.
“It’s hard to think of an innocent reason excessive data is being collected especially given it is obtainable by the Chinese government. The Albanese government must stop sitting on its hands and act to protect Australians cybersecurity and privacy.”
TikTok’s Australian executives have also been grilled about comments made by the then-chief executive of ByteDance, Zhang Yiming, in 2018 regarding technology needing to be guided by “core socialist values”.
The revelation about Australian user data came in a letter to Senator Paterson from TikTok last week, revealed by The Australian Financial Review, after he wrote to TikTok about his concerns.
Last week, the Financial Review revealed Senator Paterson wrote to Minister for Home Affairs and Cyber Security Clare O’Neil, asking her to “investigate the full range of regulatory responses necessary to protect the private information of Australians who use this platform.”
The US Senate Intelligence Committee wrote to the Federal Trade Commission last month asking it to open an investigation about whether TikTok had mislead lawmakers about China-based employees being able to access US user data.
Senator Paterson discusses Pelosi's visit to Taiwan, Indo-Pacific tensions, defence strategic review
August 9, 2022
Senator Paterson discusses TikTok, China's mass data harvesting exercise & PJCIS with Peta Credlin
August 5, 2022
US and Australian parliamentary visits to Taiwan 'very common': Senator Paterson on First Edition
August 2, 2022