> > If there is an API to get information on you, your contacts, or your device... well, they're using it. For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is.
I find this unconvincing and reddit comments are not trustworthy at all.
Wouldn't data collection be limited by the mobile OS anyway? I actually have TikTok on my phone and it requested no special permissions, compared to most other apps which don't even let you view content without validating a phone number.
>Wouldn't data collection be limited by the mobile OS anyway
Maybe on iOS. But on Android of the ones that he listed, many can be retrieved without any permissions, such as
>* Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
>* Whether or not you're rooted/jailbroken
I also suspect that they can get some or all of the network information without any special permissions either.
>* Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
As for "other apps you have installed", it looks like it's getting it through the "retrieve running apps" permission, although I'm not sure whether that shows up as a permission prompt or not.
> I find this unconvincing and reddit comments are not trustworthy at all.
You should probably read the original comment on reddit, not just my summary of it. I found it to be extremely detailed and technically convincing, even though it's still hard to determine the level of its trustworthiness.
Yes, that part about not being able to back up his claims wasn't there, when I first read that comment yesterday. And I also don't like that he mixes the technical critique with the moral critique of TikTok, which makes him look biased.
Still, it's a well known fact that authoritarian regimes tend to use all the tools available to them for spying in foreign countries. That's why Russia's Yandex, VKontakte, and Mail.ru are banned in Ukraine since 2017.
That report could not distinguish between ISP and Cloud provider, also between Alibaba as an e-commerce and Aliyun as Cloud provider.
The report also complained about possible SQL injection, but the database it accessed is a local SQlite database. Who cares if you inject your own database?
I find this unconvincing and reddit comments are not trustworthy at all.
Wouldn't data collection be limited by the mobile OS anyway? I actually have TikTok on my phone and it requested no special permissions, compared to most other apps which don't even let you view content without validating a phone number.