A Stark Reminder about API Security As India Bans TikTok Over Privacy Concerns

Recently the Indian government said that it will ban TikTok along with dozens of other well-known apps developed in China saying that the apps pose a threat to the “sovereignty and integrity of India.” This comes on the heels of a border dispute between the two countries last month that led to the deaths of at least 20 Indian soldiers.

59 apps in total have been banned including popular messaging app WeChat and mobile browser UC Browser. India’s Ministry of Information Technology said the ban was due to user complaints that TikTok was “stealing and surreptitiously transmitting users’ data in an unauthorized manner.”

Now, the Decentralized international hacking group known as Anonymous has come out with the accusation that TikTok is “essentially malware operated by the Chinese government running a massive spying operation.” This is in response to a thread from a Reddit user who claims to have reverse-engineered the app and found it to be nothing more than a thinly veiled data collection service.

According to Reddit user bangorlol, TikTok is using APIs to collect user information including (exact quotes):

  • Phone hardware (CPU type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
  • Other apps you have installed (I've even seen some I've deleted show up in their analytics Payload - maybe using as cached value?)
  • Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
  • Whether or not you're rooted/jailbroken
  • Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC
  • They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero Authentication

If that weren’t bad enough, bangorlol claims that TikTok neglected to use HTTPS to encrypt traffic between its app and its servers. In an important lesson to any API provider about one of the key boxes to check when reviewing an API security plan, this could have potentially caused and that its API to leaked users’ email addresses and secondary emails (used for password resets) to prying eyes.

This information has yet to be independently verified by other researchers, but this is not the first time TikTok has been accused of poor security at best and nefarious activities at worst. The US armed forces have described the app as a threat to cybersecurity, Reddit CEO Steve Huffman has described it as “fundamentally parasitic,” and child advocacy groups filed a complaint stating that TikTok fails to give parents notices of “practices regarding the collection, use, or disclosure of personal information.”

TikTok has of course denied any wrongdoing and from a legal standpoint, they may be right. But by this point, we know the dangers of giving away our information, especially when it’s not clear just how much we are giving away in the first place. The revelations made by bangorlol are only the latest in a growing pile of evidence that users of TikTok should proceed with caution.

Be sure to read the next Security article: Why COVID-19 Makes App Security More Important than Ever