TikTok’s source code is in line with industry standards, security researchers say.
Various privacy & censorship criticisms about video social-media app TikTok have been around for months. Security analysts from CitizenLab are the 1st to collect real data on the platform’s source code & reported that TikTok meets reasonable standards of security & privacy.
The platform, they worked out, is a customised version of more intrusive versions of the application used by TikTok’s parent company, China-based parent ByteDance, across East & Southeast Asia, minus the limitations in access or privacy.
CitizenLab explained that the controls ByteDance has put in place for the version of TikTok available in the US are sufficient, “nor contain strong deviations of privacy, security & censorship practices when compared to TikTok’s competitors, like Facebook,” the report explained.
There are lingering concerns, however, that the source-code capabilities to censor speech on the various ByteDance apps could be “turned on” in the US version of TikTok down the line.
TikTok is the 1st social-media platform to come out of the Communist country & explode across the globe. TikTok’s rise has been so meteoric, last year it posted the most downloads in a single quarter for any app ever & crossed more than 2 billion users worldwide.
In Summer 2020, ex-President Trump threatened to ban TikTok from the US, where it has more than 100m users, & even signed an executive order to block it from app stores due to what he called “national-security concerns.” Then-Commerce Secretary Wilbur Ross added at the time that TikTok allowed “China’s malicious collection of American citizens’ personal data.” Plans to block TikTok were abandoned at the last minute, but questions have lingered.
It turns out those accusations were unfounded, according to these new findings from CitizensLab.
“TikTok and Douyin do not appear to exhibit overtly malicious behaviour similar to those exhibited by malware,” the report said. “We did not observe either app collecting contact lists, recording & sending photos, audio, videos or geolocation coordinates without user permission.”
ByteDance operates 2 distinct platforms, TikTok and Douyin. ByteDance launched in China with Douyin. In China, it is understood companies are required to moderate content to comply with government speech restrictions, under threat of being shut down, the report explained.
ByteDance later launched TikTok for markets outside China, in June 2018. Both Douyin & TikTok share much of the same source code, with a few regional distinctions.
“We postulate that ByteDance develops TikTok & Douyin starting out from a common code base & applies different customisations according to market needs,” the Citizen Lab report commented.
“We observed that some of these customisations can be turned on or off by different server-returned configuration values. We are concerned but could not confirm that this capability may be used to turn on privacy-violating hidden features.”
“It is likely that both apps already accumulated their own user base, & after the merger it was easier to simply upgrade both apps to the new merged-code version, instead of asking users to install another app,” the report observed. That left 3 distinct versions of ByteDance code, Douyin, & 2 versions of TikTok — known as “Trill” & “Musically.”
Musically & Trill
“For the parts which we have examined, the differences between Musically & Trill are fewer than the differences between Douyin & the other 2,” the report suggested. “This is expected because Douyin serves a China-only platform separate from the global platform served by regional variants Trill & Musically.”
The Trill version of TikTok is used in East & Southeast Asia & provides tighter privacy & access controls than the Musically version of TikTok, which is available in the West.
“This version distinction is also used to adjust interfaces & provide user settings tailored to the targeted regions,” the report explained. “Users are only given the ability to opt out of ad personalisation in Musically, which is likely due to the requirements of the European General Data Protection Regulation (GDPR).”
Other distinctions that the researchers found include the fact that Douyin collected data which could identify a users’ location, while TikTok does not, according to the report.
But rather than these differences being written into the code itself, all 3 services were set up with controls hard coded into the internal configuration, leaving dormant strings of code defining privacy & search parameters for other platforms, which could be, in effect, turned on later.
“In the small portion of code which we had examined, we did not find any case in which undesirable features could be enabled by server-returned configuration values,” the researchers stated. “However, we are still concerned that this dormant code originally meant for Douyin may be activated in TikTok accidentally, or even intentionally.”
Another potentially problematic aspect of Douyin is that it is able to update itself via the internet, bypassing the operating system & user control, the research found. TikTok however does not include this capability.
“Overall, TikTok includes some unusual internal designs, but does not otherwise exhibit overtly malicious behaviour,” Citizen Labs’ findings concluded. “Douyin’s dynamic code-loading feature can be seen as malicious, as it bypasses the system installation process, but this feature is also commonly seen in Chinese apps & generally accepted in the Chinese market.”
While the team admits their testing was limited to only the “most popular” posts on TikTok, they were able to conclude the “platform does not enforce obvious post censorship, & if post censorship was enforced at all it would subtly only apply to unpopular posts,” the report added.
Proposed bans on TikTok & WeChat were met with scepticism by some in the security community when early accusations of TikTok abuse emerged, because no evidence ever materialised.
“TikTok hasn’t been shown to collect any more data than other social-media apps,” Paul Bischoff, privacy advocate with Comparitech, explained last Sept. “It sets a dangerous precedent of censorship in the US. We are banning a Chinese app but adopting a Chinese censorship policy. The latter is much more concerning.”