this post was submitted on 17 Jan 2025
1874 points (98.3% liked)
Microblog Memes
11218 readers
1474 users here now
A place to share screenshots of Microblog posts, whether from Mastodon, tumblr, ~~Twitter~~ X, KBin, Threads or elsewhere.
Created as an evolution of White People Twitter and other tweet-capture subreddits.
RULES:
- Your post must be a screen capture of a microblog-type post that includes the UI of the site it came from, preferably also including the avatar and username of the original poster. Including relevant comments made to the original post is encouraged.
- Your post, included comments, or your title/comment should include some kind of commentary or remark on the subject of the screen capture. Your title must include at least one word relevant to your post.
- You are encouraged to provide a link back to the source of your screen capture in the body of your post.
- Current politics and news are allowed, but discouraged. There MUST be some kind of human commentary/reaction included (either by the original poster or you). Just news articles or headlines will be deleted.
- Doctored posts/images and AI are allowed, but discouraged. You MUST indicate this in your post (even if you didn't originally know). If an image is found to be fabricated or edited in any way and it is not properly labeled, it will be deleted.
- Absolutely no NSFL content.
- Be nice. Don't take anything personally. Take political debates to the appropriate communities. Take personal disagreements & arguments to private messages.
- No advertising, brand promotion, or guerrilla marketing.
RELATED COMMUNITIES:
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Not just a data miner, it has some crazy capabilities that are malicious even by the standards of social media phone apps, which were already explicitly malicious. If I remember right, it can download custom code to augment its capabilities per-target, and has encryption to attempt to thwart any attempt to analyze it, which are both pretty unusual amounts of effort to spend from the POV of "we just want to gather your advertising data and listen to your microphone all the time" which are pretty standard things.
Yep, the thing is actual malware which for some reason gets a pass from Google/Apple.
That kinda makes Apple and Google malware too IMO, I should really switch to Graphene...
Yeah it’s been over a decade since I’ve dealt with the Apple App Store. But at the time, when publishing an app, they did all of this review and analysis of your app and they did not allow downloading additional executable code IIRC. Though if you are clever enough, you can get around that.
https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/
"There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary."
Obviously, the app creator can write whatever code they want into the app. If they want to update it, including to run an AB test, they can do a new version.
The only reason for unzipping and executing random binaries on-demand, outside of the normal app update process, is if you want to specifically target one individual or a group of individuals and enable functionality specifically for them that is custom to those particular people. Maybe you just have specific needs for them that aren't served by the overall process, or maybe what you want to install is secret enough that you don't want security researchers getting their hands on it. That second one would be consistent with the obfuscation around even the stock behavior of the app.
I am obviously not talking about HTTPS when I say "encryption to thwart any attempt to analyze it."
Show me where in the Chrome or Firefox app there is code to download an executable -- not a versioned update to the app through the Play Store, but a random chunk of code -- and run it.
This is a pretty impressive amount of deflection.
"All apps on iOS are obfuscated, so it's not important that TikTok on Android takes extra trouble to obfuscate itself in a very weird way which other Android apps generally don't do."
"All Windows apps work by downloading new binaries for themselves, because there's no package management, so it's not important that TikTok on Android takes extra trouble to bypass the package management and enable downloading custom per-user executables and running them."
"Some apps have vulnerabilities by accident, so it's not important that TikTok has a remote code execution vulnerability built in on purpose."
"Apps have a security model, which by the way can be jailbroken, so it's not important if something malicious happens within the app. Actually, forget what I said about jailbreaking."
You haven't actually addressed anything I said, just threw a whole bunch of words about related topics to make it sound like what I described about this particular topic is, within the scope of this topic, a normal thing. It's not.
I think we're done here. I could repeat myself but it would be a waste of both our time.
This is a pretty fair point. I think I saw one other analysis that was similar to the reddit guy, but most people who do security analysis of TikTok seem to say that it's not especially nefarious, or any more so than the other ones (which are all pretty nefarious). I don't know why I trust this guy and not those guys. I just found it credible and specific on the positive side, where the other side is proving the negative. But yeah, there might be a bit of confirmation bias there.
I just ignored that part lol
It's all good, I appreciate it.
There is a difference in the data gathered and where it goes. But just like the cheap
losers sealioning to invert the how-do-you-know question hoping people forget the pedigree of the information isn't the same, it's easy for people to both-sides data gathering too.
And I say that's fine. HAVE it so gathered data must go through a Clearinghouse or two (a gov entity eg SeaLandia or an org like fsf) so it's provably anonymous and then we carry on. To me, this is the result of the discussion we need to have around who gets to spy on you and how we choose that to get benefits at reduced exposure to risk.
Just, it's not the same.
Ok, so Bytedance does exactly what Microsoft, Google and Apple do. Got it.
All 3 can and do run arbitrary code on their platforms. All three share your data with third parties. All three encrypt stuff in their codebase and especially google tries it's hardest to break networking standards just to obfuscate what their code is doing.
... And two of them can be sued by the DoJ and forced into revolving compliance evals .
... if we had a non-toothless DoJ; I get it. But the ability is there.
In a surprisingly Reddit-esque move, Lemmys best answer is buried below emotionally charged nonsense