TikTok is quickly becoming one of the largest social networks. It has over 800 million users worldwide, and roughly half of its users are between 16 and 24.

There have been privacy concerns about TikTok for some time. Recent information paints a very ugly picture of how TikTok operates to destroy your privacy.

Today we'll take a detailed look at how TikTok compromises your smart devices, and what you can do about it.

Snooping on Your Clipboard

While it is a fairly well-known fact that most apps collect user data for advertising and telemetry reasons, TikTok seems to be taking it to an extreme. As Twitter user Jeremy Burge demonstrates, his clipboard contents are being copied into TikTok every few seconds even when he is not using the app.

Copying from the user clipboard isn't something unique to TikTok. Other apps do this to offer greater functionality to the user and don't use it as a data collection technique. There is no way to tell which apps are checking your clipboard as part of their functionality, and which are simply mining your data.

It Gets Worse

Copying data from your clipboard so frequently may seem odd, but not inherently dangerous. Unfortunately, it's not as simple as that, as Forbes writer Zak Doffman explains:

"The most acute issue with this vulnerability is Apple's universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: Passwords, work documents, sensitive emails, financial information. Anything."

This behavior, whether on purpose or as a result of poor code, it pretty worrying. It's fair to say that exploiting this vulnerability may not have been the original intention of the TikTok development team.

However, later in the same Forbes article TikTok seem to be unable to say whether clipboard snooping is an "anti-spam feature" or an error in the Google Ads software development kit (SDK).

TikTok: Unwrapped

One of the reasons we now know so much more about how TikTok operates is down to the work of a Reddit user named bangorlol. In a comment on a now-deleted post criticizing TikTok they describe how they reverse-engineered the app, and what they found.

The Reddit thread that started the recent investigation

This thread, along with some other citizen investigative journalism, show TikTok to be either morally corrupt or incompetent developers. Neither bode well for your security. The main ways TikTok collect and manipulate your data were listed by u/bangorlol:

  • "Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
  • Other apps you have installed (I've even seen some I've deleted show up in their analytics payload---maybe using as cached value?)
  • Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
  • Whether or not you're rooted/jailbroken
  • Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds---this is enabled by default if you ever location-tag a post IIRC
  • They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication"

Add to this the fact that TikTok contains code that allows the downloading of a remote zip file, before extracting and running its contents, and things start to look very scary indeed.

Time to Uninstall TikTok?

With so many security breaches, surely there is no good reason to keep using TikTok? Some developers disagree. While TikTok is taking it to an extreme, almost every app you use will be collecting your data.

One aspect of the TikTok controversy appears to have been neglected. Both Google and Apple have standards that all companies must adhere to in order to have their app listed on the Play and App stores. While this doesn't protect you entirely, it seems unlikely that a single app would be acting in a way that was different from others on the same platforms.

Whether you see this as a good thing or further evidence that smartphone security is in a terrible place is up to you.

If your kids still want to use TikTok, find out how to make TikTok safer for children.

It's Not Just TikTok

TikTok is not the only app snooping on you

The recent flow of TikTok related news makes it easy to forget that they are far from the only company who've been criticized for shady data usage. Facebook have repeatedly proved themselves to be a privacy nightmare. They routinely track users in ways that go far beyond any of the TikTok accusations. Very few users ended up leaving Facebook due to these allegations, and TikTok might be the same.

Another popular viewpoint on the TikTok controversy is that while the security issues are grave, they are under greater scrutiny due to political tension. India has already banned many Chinese apps, including TikTok, and the US is considering a similar ban. It's telling that these two countries both have fraught relationships with China.

What's Next for TikTok Security?

The original post by bangorlol on Reddit, along with posts by Twitter users, caused a stir. There is now real momentum around the TikTok privacy issue, and a small community has grown around uncovering what TikTok might be up to.

One hub for this work is the TikTok reversing subreddit started by bangorlol. It now has over 1000 members crowdsourcing further revelations about the app.

Several security groups have published papers on TikTok including Penetrum and Zimperium.

Social Media Erodes Your Security

TikTok's security concerns are nothing new, and while it is worrying, there are ways you can make your account more secure.

However, one thing is certain: TikTok, and most other social media apps, continue to erode your security daily. Getting off TikTok and onto its alternatives might be a good start, but the only way to be sure is to get off social media entirely!