Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Baptiste Robert Profile picture
Baptiste Robert
@fs0c131y
CEO @PredictaLabOff | French Security Researcher, Ethical Hacking, OSINT

Jan 14, 2025, 13 tweets

Worried about a TikTok ban? Americans are now flocking to Xiaohongshu (REDnote), another Chinese app.

Spoiler: Yes, it tracks its users.

Time to dive in! ⬇️

When creating an account, you must verify your phone number by entering a code received via SMS.

The request sent to Xiaohongshu's server includes your phone number (of course), along with your IDFA and IDFV.

What’s an IDFA? The Identifier for Advertisers (IDFA) is a unique device ID assigned by Apple to every iOS device.

Many actors, like data brokers, use it to profile you, track your location, and more.

When the user is activated, both the IDFA and IDFV are sent again.

Because why send it once when you can send it twice, right?

Nearly every request sent to Xiaohongshu's servers includes the Xy-Common-Params header, which contains:
- Device ID
- Device Fingerprint
- Device Model
- Language
- Platform
- Teenager Status
- Timezone
- And more...

During the process, your device information is also sent to Xiaohongshu's servers, enabling them to fingerprint your device.

This request includes:
- RAM size
- Boot time
- IP
- Carrier
- Country
- OS version
- HW model
- Timezone
- Language
- IDFA (yes, again!)
- Disk size

Spending just 10 minutes on Xiaohongshu is enough to conclude that this app tracks user behavior and sends device information to its servers.

Where is the information sent aka where are the server located?

They use Tencent Cloud CDN, which makes sense for a Chinese app.

Spoiler: User tracking is widespread across apps, no matter their origin.

It threatens privacy and can pose national security risks.

The Gravy leak shows the dangers of centralizing massive amounts of data.

Why is my IDFA all zeros in the screenshots?

Because I disabled "Personalized Ads" in iOS.

This entire thread focuses on iOS, but it applies equally to Android. The Android equivalent of IDFA is called AAID.

Technical note: If you want to give it a look, hooking this class is a good start

Four years ago, I analyzed the data TikTok was transmitting, wrote a series of articles about it, and ultimately found myself testifying before a U.S. congressional committee.

baptisterobert.com/posts/tiktok-l…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling