TikTok can bypass Apple and Google security on phone and access full user data, researchers say

A new report verifies two studies that map TikTok's source code to check its app behaviour and data collection practices. The deep dive raises a number of concerns that are now being flagged by cybersecurity experts.

Cybersecurity researchers have time and again raised red flags on the data collection practices followed by TikTok. Despite its continuously surging popularity, the short video app has often been blamed for infringing user privacy through its methods. Reiterating the same, a new report now mentions that the app is even able to bypass the security protocols put in place by the Google Play Store and the Apple App Store.

After verifying two studies conducted by “white hat” cybersecurity experts in November 2020 and January 2021, a new report by TheWrap cites the analysis of five independent experts to claim that TikTok is able to gain "an all-access pass to user data." For this, the report mentions that the app is able to avoid code audits on the app stores of Apple and Google, as well as change its behaviour intermittently to better utilise device tracking.

Deeming this "highly unusual," the report mentions that the behaviour largely exceeds that of other social media apps like Facebook and Twitter. One cybersecurity expert who reviewed the two “white hat” studies told TheWrap that the TikTok browser can convert from web to device, as well as "query things on the device itself.” This allows TikTok "carte blanche" access to a device.

Yet another expert told the publication that the app conceals its inner workings more than other social media networks and it is thus difficult to know the extent to which it can mine data from a device. It then becomes a question of trust, as even if the app is not doing anything bad today, does not mean it is not able to do so.

As mentioned in the report, the two studies found that TikTok’s source code uses device IDs that identify an individual device for ad integration. Once it shares this ID with advertisers, they are able to track people over time "across devices and installs."

The researchers also discovered that the app "essentially acts like a web browser." It uses a special JavaScript bridge that retrieves the app from TikTok’s servers as and when it is launched on a phone. In theory, this allows the TikTok app to change its behaviour dynamically, without pushing an update to users.

This makes it difficult to check the security of the app as the same cannot be figured by static analysis of the app.