TikTok vs. Douyin: A Security and Privacy Analysis(citizenlab.ca)
citizenlab.ca
TikTok vs. Douyin: A Security and Privacy Analysis
https://citizenlab.ca/2021/03/tiktok-vs-douyin-security-privacy-analysis/
11 comments
> We suspect the “sensitive” field restriction refers to content that is “politically sensitive” but could not confirm.
The other search restricted categories they found (hate speech, limit, suicide prevention) all cause the app to display a predefined message. Rather than “politically sensitive” (which I could see being in the Chinese app but would be weird to have in the global one), this one probably corresponds to another predefined message, specifically “this phrase may be associated with behavior or content that violates our guidelines”, which you can get by searching for things like “rape”. I don’t have the necessary setup to confirm, maybe someone could check.
The other search restricted categories they found (hate speech, limit, suicide prevention) all cause the app to display a predefined message. Rather than “politically sensitive” (which I could see being in the Chinese app but would be weird to have in the global one), this one probably corresponds to another predefined message, specifically “this phrase may be associated with behavior or content that violates our guidelines”, which you can get by searching for things like “rape”. I don’t have the necessary setup to confirm, maybe someone could check.
If TikTok does not access our local-based contact address book, then why does TikTok need access to our contacts?
They say that they didn't see contacts getting uploaded without permission.
TikTok's privacy policy contains this paragraph:
Your phone and social network contacts, with your permission. If you choose to find other users through your phone contacts, we will access and collect the names and phone numbers and match that information against existing users of the Platform. If you choose to find other users through your social network contacts, we will collect your public profile information as well as names and profiles of your social contacts
https://www.tiktok.com/legal/privacy-policy?lang=en
TikTok's privacy policy contains this paragraph:
Your phone and social network contacts, with your permission. If you choose to find other users through your phone contacts, we will access and collect the names and phone numbers and match that information against existing users of the Platform. If you choose to find other users through your social network contacts, we will collect your public profile information as well as names and profiles of your social contacts
https://www.tiktok.com/legal/privacy-policy?lang=en
>They say that they didn't see contacts getting uploaded without permission.
Further down in the report they say it never uploads contacts.
> Neither Douyin nor TikTok (Musically) seemed to upload contact lists, photos, or user files.
Further down in the report they say it never uploads contacts.
> Neither Douyin nor TikTok (Musically) seemed to upload contact lists, photos, or user files.
I guess that means they didn't try to find other users from their contacts, didn't set a profile picture and didn't post any videos.
When you give access to TikTok for all of your photos, what exactly do they have the ability to do?...regardless if they are actively doing anything. Can the app selectively download any photo from that moment on in your library? This actually goes for many other apps.
Most smartphones tag photos with useful metadata such as location, which can be mined and sold
I have no idea what most of this means, but I'm glad somebody is doing it.
Can anyone explain why Google doesn’t prevent dynamic code loading on Android?
And what in the particular case that can be considered as bad sign?
It's only disallowed by Play Store Policy, not as a technical limitation. Personally, I'm glad that it's not restricted, that way I can still write apps that use it, even if they'll never be officially published anywhere.
> The evidence we found is inconclusive in showing if TikTok takes down posts (post censorship) unfavorable to the Chinese government. We found that TikTok contains a code module to handle a special class of server-returned search responses. If the server decides to restrict a search result, it will return a response with zero result item, and indicate the reason for restriction in a special “search_nil_info” field. The client code module contains four predefined reasons for restriction: “hate speech,” “limit,” “sensitive,” and “suicide prevention.” The server also sometimes returned reasons that were not predefined; however, we were unable to make sense of their meanings.
[0] https://citizenlab.ca/2021/03/tiktok-vs-douyin-security-priv...