Not just a data miner, it has some crazy capabilities that are malicious even by the standards of social media phone apps, which were already explicitly malicious. If I remember right, it can download custom code to augment its capabilities per-target, and has encryption to attempt to thwart any attempt to analyze it, which are both pretty unusual amounts of effort to spend from the POV of “we just want to gather your advertising data and listen to your microphone all the time” which are pretty standard things.
Yeah it’s been over a decade since I’ve dealt with the Apple App Store. But at the time, when publishing an app, they did all of this review and analysis of your app and they did not allow downloading additional executable code IIRC. Though if you are clever enough, you can get around that.
“There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary.”
Obviously, the app creator can write whatever code they want into the app. If they want to update it, including to run an AB test, they can do a new version.
The only reason for unzipping and executing random binaries on-demand, outside of the normal app update process, is if you want to specifically target one individual or a group of individuals and enable functionality specifically for them that is custom to those particular people. Maybe you just have specific needs for them that aren’t served by the overall process, or maybe what you want to install is secret enough that you don’t want security researchers getting their hands on it. That second one would be consistent with the obfuscation around even the stock behavior of the app.
I am obviously not talking about HTTPS when I say “encryption to thwart any attempt to analyze it.”
Show me where in the Chrome or Firefox app there is code to download an executable – not a versioned update to the app through the Play Store, but a random chunk of code – and run it.
“All apps on iOS are obfuscated, so it’s not important that TikTok on Android takes extra trouble to obfuscate itself in a very weird way which other Android apps generally don’t do.”
“All Windows apps work by downloading new binaries for themselves, because there’s no package management, so it’s not important that TikTok on Android takes extra trouble to bypass the package management and enable downloading custom per-user executables and running them.”
“Some apps have vulnerabilities by accident, so it’s not important that TikTok has a remote code execution vulnerability built in on purpose.”
“Apps have a security model, which by the way can be jailbroken, so it’s not important if something malicious happens within the app. Actually, forget what I said about jailbreaking.”
You haven’t actually addressed anything I said, just threw a whole bunch of words about related topics to make it sound like what I described about this particular topic is, within the scope of this topic, a normal thing. It’s not.
There is a difference in the data gathered and where it goes. But just like the cheap
Source?
losers sealioning to invert the how-do-you-know question hoping people forget the pedigree of the information isn’t the same, it’s easy for people to both-sides data gathering too.
And I say that’s fine. HAVE it so gathered data must go through a Clearinghouse or two (a gov entity eg SeaLandia or an org like fsf) so it’s provably anonymous and then we carry on. To me, this is the result of the discussion we need to have around who gets to spy on you and how we choose that to get benefits at reduced exposure to risk.
Ok, so Bytedance does exactly what Microsoft, Google and Apple do. Got it.
All 3 can and do run arbitrary code on their platforms. All three share your data with third parties. All three encrypt stuff in their codebase and especially google tries it’s hardest to break networking standards just to obfuscate what their code is doing.
Not just a data miner, it has some crazy capabilities that are malicious even by the standards of social media phone apps, which were already explicitly malicious. If I remember right, it can download custom code to augment its capabilities per-target, and has encryption to attempt to thwart any attempt to analyze it, which are both pretty unusual amounts of effort to spend from the POV of “we just want to gather your advertising data and listen to your microphone all the time” which are pretty standard things.
Yep, the thing is actual malware which for some reason gets a pass from Google/Apple.
That kinda makes Apple and Google malware too IMO, I should really switch to Graphene…
Yeah it’s been over a decade since I’ve dealt with the Apple App Store. But at the time, when publishing an app, they did all of this review and analysis of your app and they did not allow downloading additional executable code IIRC. Though if you are clever enough, you can get around that.
deleted by creator
https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/
“There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary.”
Obviously, the app creator can write whatever code they want into the app. If they want to update it, including to run an AB test, they can do a new version.
The only reason for unzipping and executing random binaries on-demand, outside of the normal app update process, is if you want to specifically target one individual or a group of individuals and enable functionality specifically for them that is custom to those particular people. Maybe you just have specific needs for them that aren’t served by the overall process, or maybe what you want to install is secret enough that you don’t want security researchers getting their hands on it. That second one would be consistent with the obfuscation around even the stock behavior of the app.
I am obviously not talking about HTTPS when I say “encryption to thwart any attempt to analyze it.”
deleted by creator
Show me where in the Chrome or Firefox app there is code to download an executable – not a versioned update to the app through the Play Store, but a random chunk of code – and run it.
deleted by creator
This is a pretty impressive amount of deflection.
“All apps on iOS are obfuscated, so it’s not important that TikTok on Android takes extra trouble to obfuscate itself in a very weird way which other Android apps generally don’t do.”
“All Windows apps work by downloading new binaries for themselves, because there’s no package management, so it’s not important that TikTok on Android takes extra trouble to bypass the package management and enable downloading custom per-user executables and running them.”
“Some apps have vulnerabilities by accident, so it’s not important that TikTok has a remote code execution vulnerability built in on purpose.”
“Apps have a security model, which by the way can be jailbroken, so it’s not important if something malicious happens within the app. Actually, forget what I said about jailbreaking.”
You haven’t actually addressed anything I said, just threw a whole bunch of words about related topics to make it sound like what I described about this particular topic is, within the scope of this topic, a normal thing. It’s not.
deleted by creator
I think we’re done here. I could repeat myself but it would be a waste of both our time.
There is a difference in the data gathered and where it goes. But just like the cheap
losers sealioning to invert the how-do-you-know question hoping people forget the pedigree of the information isn’t the same, it’s easy for people to both-sides data gathering too.
And I say that’s fine. HAVE it so gathered data must go through a Clearinghouse or two (a gov entity eg SeaLandia or an org like fsf) so it’s provably anonymous and then we carry on. To me, this is the result of the discussion we need to have around who gets to spy on you and how we choose that to get benefits at reduced exposure to risk.
Just, it’s not the same.
deleted by creator
Ok, so Bytedance does exactly what Microsoft, Google and Apple do. Got it.
All 3 can and do run arbitrary code on their platforms. All three share your data with third parties. All three encrypt stuff in their codebase and especially google tries it’s hardest to break networking standards just to obfuscate what their code is doing.
… And two of them can be sued by the DoJ and forced into revolving compliance evals .
… if we had a non-toothless DoJ; I get it. But the ability is there.
In a surprisingly Reddit-esque move, Lemmys best answer is buried below emotionally charged nonsense