🧵With the growing concerns about #TikTok, I finally decided to have a look to it. In this thread, I will cover a review of its privacy policy and a dynamic analysis of the Android app with @PiRogueTools and explain its limitations.

First of all, TikTok's privacy policy is quite explicit regarding what data is collected. Obviously, it collects the information the user provides such as profile information, contacts, payment card information or other third-party payment information.

Next, it collects a wide range of information such as keystroke patterns or rhythms, IP address, approx. location based on SIM card, IP or GPS location. It also detects and collects characteristics and features about the media by identifying objects and scenery.

The platform also infers information such as gender or interests and certainly more based on what we watch, what we like, the location where the app is used, etc. The purpose here is to build a profile in order to “suggest" relevant content.

Next, #TikTok gathers information from partners without explicitly telling who they are. It gets from partners information such as mobile identifiers, email address (plain or hashed), user ID and actions taken outside of the Platform.

#TikTok not only gathers information from partners, it shares some too without listing them. The platform shares unlisted information with advertisers to provide targeted ads and share technical and usage information with data partners, analytics services.

The business model of #TikTok, #Facebook and others is based on the attention economy. The longer you stay, the more ads you see, the more money we make. This MB relies on targeted ads, thus, the platform has to collect a pile of info to build a profile as accurate as possible.

Now, jump in the dynamic analysis of the Android app. As you may know, #TikTok app is heavily obfuscated and collected data is encrypted before transmission. The encryption is done in a part of the app that I was not able to instrument. So, let's grab the low-hanging fruits.

By running the app on a rooted device and using PTS's #PiRogue, it is easy to retrieve TLS encryption keys, AES/RSA operations, socket activity and stack traces. We are then able to decrypt TLS traffic and decrypt encrypted payloads, except for traffic directly related to #TikTok

After a quick look at the captured network traffic, it appears that the app embeds 3rd-party SDKs such as AppsFlyer or Google Firebase as detected by @ExodusPrivacy. Note that AppsFlyer's SDK encrypts the data before transmitting it over TLS. It has probably something to hide.

AppsFlyer collects information related to the device such as sensors, brand, fingerprint, advertising ID, carrier, boot time, etc. We find also app usage data such as first launch, time between launches... This data collection is done without any consent or any other legal basis.