A group of Anonymous hackers have targeted the TikTok app quite a bit after Apple caught it grabbing clipboard data.
Should the text be too small to read, the highlights are that TikTok is doing the following
- Sending phone, hardware info (meh, whatever)
- Sending info on other apps you have installed as well as deleted apps you’ve uninstalled
- Everything network related (ip, local up, router mac, your mac, WiFi AP name)
- Root/jailbroken status
- Some variants had GPS pinging every 30 seconds
- Has a local proxy server set up for “transcoding media” that can be abused easily as it has zero authentication
- App behavior changes slightly if you attempt to reverse engineer the code
- What they collect/snoop on is remotely configurable
- Some code on the Android version allows for downloading and execution of third party code
- App will not function if you block access to their analytics / control system
So yeah… you have TikTok you’ve got little to no privacy if Apple’s previous findings, Anonymous, and a random security researcher are to be believed.
As an armchair security guy, the ability to download and execute third party code and the GPS tagging is the real scary part… someone out there know where you’re at, your phone number, can execute code on your phone and attack your WiFi AP from inside knowing what it and how it’s vulnerable by the MAC.
It could all be sloppy coding, but it’s a very, very exploitable set of tools even if they have no ill intentions. At this point I’d advise uninstalling it until such time as the code is audited and fixed.[Forbes]