TikTok for Promotion

At the moment, TikTok has not been noticed in anything suspicious and in sending specific data.

The year is 2020, and the American president is going to ban TikTok (a mobile application of a social network for publishing videos), because “this service poses risks to US national security.” At the same time, Microsoft is thinking about buying TikTok. Recently, this social network has received a lot of attention from the media, but how reliable is the information provided? This is the question I will try to answer in this series of articles. Each post will answer a specific question. It’s time to put the facts out for everyone to see.

Preliminary remarks

With millions of lines of code, TikTok users have tons of features at their disposal. Accordingly, one article cannot fully disclose such a broad and vague question “does TikTok pose a threat to US national security.” Therefore, I have planned to write several articles, each of which will be devoted to a specific topic.

My name is Baptiste Robert. I’m French. I work in the field of security. In recent years I have been analyzing mobile applications. My articles can be found at tiktokrush.com . My Twitter: twitter.com/tiktokfollower3.

My main goal is to be completely honest with you. I will share everything you need to check what is written in this article.

If you don’t want to get into technical details, at the end of the article are the conclusions from my research.

Introduction

On August 2, 2020, I started researching TikTok and wrote a tweet about it.

Figure 1: Initial TikTok Research Tweet

A few minutes after posting the tweet, I received a comment from one of my followers.

Figure 2: Response from one of the subscribers

We talked in private messages, and my interlocutor spoke about the problem. While analyzing network traffic related to TikTok, a request was noticed being sent every two minutes. However, the content of the request was encrypted and could not be decrypted.

As a result of the conversation, questions for research were formed:

  1. What information does TikTok send out on a regular basis?
  2. When does the referral take place?
  3. Where does the referral take place?
  4. How is content encrypted?

What does TikTok send out on a regular basis?

While debugging something, 90% of the time is spent reproducing the problem. Accordingly, the first thing I tried to do was reproduce the problem. What was done:

Downloaded the latest version of the TikTok mobile application from the French PlayStore.

Installed Burp Suite to intercept network requests made by my phone.

3. Used the Frida script to bypass SSL pinning (binding a certificate or public key of the server to the client) in the application and launched TikTok.

Figure 3: Requests intercepted by Burp Suite

Based on the analysis results, it turned out that TikTok sends network requests with encrypted content every 5 minutes.

Endpoint / service / 2 / app_log /

Figure 4: Content of a POST request sent to / service / 2 / app_log /

Options

Before examining the encrypted content, please note that the request consists of a huge number of parameters.

Figure 5: Parameters of the sent request

Most of the names speak for themselves. All parameters can be divided into three categories:

Device information: device_id, device_type, device_brand, os_api, os_version, …

Application information: app_type, app_language, version_code, version_name, build_number, …

User info: current_region, locale, region

In fact, there is nothing surprising about the above categorization. We are dealing with standard practice, and you can be sure that most of the applications you use have similar data collection technology.

Encrypted content

It’s time to take a look at the encrypted content! This part is going to be pretty fun. I decompiled the application, searched for “app_log” and immediately found the sendEncryptLog method of the com.ss.android.common.applog.NetUtil class.

Figure 6: Contents of the sendEncryptLog Method

Are you bad at code? Nothing wrong. Take a look at the method signature. There are 4 parameters at the entrance: arg4 – URL, arg5 – request content (unencrypted). The other two parameters are not of interest to us yet.

Now I will use the Frida script to intercept this method call and examine the contents of the request before encrypting it.

Figure 7: Method for intercepting the content of the request

I used the TTencryptedLog method and got the following results:

Figure 8: Content of the intercepted request before encryption

The JSON file contains pretty standard data:

As before, there is a lot of information about the device.

When the application was last launched.

Registration of events. I would need to take a closer look at what is meant by “events”, but as far as I can tell, these are pretty standard analytics.

When is the request sent?

The rate at which the request is sent is equal to the rate at which the sendEncryptLog method is called. By pressing X key in JEB app you can get all cross-references easily.

Figure 9: The call locations of the sendEncryptLog method

4 methods were found:

  • doUpdateConfig
  • sendTimelyEvent
  • sendLog
  • unknown method from package deviceRegister

The sendEncryptLog method is used to send another type of JSON. I cleared the data related to TikTok and started over. As a result, I managed to catch the following JSONs:

Content of the request during device registration:

Figure 10: JSON Data During Device Registration

Content of the request when TikTok changes the log settings:

Figure 11: JSON Data When Changing Log Settings

Again, the names speak for themselves. In the above JSON’s, I don’t see anything suspicious or specific regarding TikTok.

Where does the referral take place?

The previous screenshots show that requests are sent to log16-normal-c-useast1a.tiktokv.com. It’s funny to see that I am in Europe, and my logs are sent to the eastern United States. TikTok is spread all over the world, and probably several nodes are used to store logs.

After a more detailed study of the code, we find the URLConfig class.

Figure 12: Creating Multiple Instances of the URLConfig Class

From the picture above, you can see that there are 7 configurations: China, America, America HTTP, SIG AWS, SIG ALIYUN (Alicloud Singapore), Musically, Musically HTTP.

It seems rather odd that there is no configuration for Europe, but okay.

How is content encrypted?

Remember the sendEncryptLog method?

Figure 13: Contents of the sendEncryptLog Method

Encryption occurs on the line v5 = b.a (v5, v5.length);

Figure 14: Request encryption function

The fun begins with the EncryptorUtil class:

Figure 15: Contents of the EncryptorUtil Class

The encryption is done by the native library. All native libraries used by TikTok are located in the /data/data/com.zhiliaoapp.musically/app_librarian/ folder on your phone. At this point, my research is temporarily suspended. Coverage of the topic of data encryption in TikTok deserves a separate article. Plus, it’s 12 at night, and I’m pretty hungry.

Conclusion

In this article, I tried to understand what data TikTok regularly sends to its servers. I have decoded and analyzed the content of the requests. As we can see, at the moment TikTok has not been noticed in anything suspicious and in sending specific data. Getting information about a user’s device is quite standard practice for mobile applications. Similar information is collected by Facebook, Snapchat, Instagram and other popular services.

I hope you enjoyed this article. More parts coming soon. Don’t forget to subscribe to my Twitter.

Subscribe to the “SecurityLab” Telegram and Twitter channels to be the first to know about news and exclusive materials on information security.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.