Earlier this month, there had been a clash at the Indo-China border in Galwan valley that had left 20 Indian soldiers dead and others injured. Since then, there has been many protests against Chinese goods and services as well as companies associated with the neighbouring country in any way.
While some had resorted to burning effigies of Chinese leader Xi Jinping and destroying Chinese goods, government organisations too appears to have taken steps to distance themselves from the neighbouring country.
On Monday, June 29, the government released a lengthy list with 59 names. These are Chinese apps that will now be banned in India.
The list includes popular apps such as Tiktok, and many others.
While many have hailed the government's decision to include Tiktok in the list of banned apps, there are few who may disagree. For those who disagree, a Reddit user has revealed a fascinating theory about a potential breach in security.
In his theory, Reddit user explains how Tiktok operates or "at least operated as of a few months ago."
Read his entire theory below:
TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device... well, they're using it.
Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)
Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
Whether or not you're rooted/jailbroken
Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC
They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication
The scariest part of all of this is that much of the logging they're doing is remotely configurable, and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you're trying to figure out what they're doing. There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.
On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don't forget about users' real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM'd the application.
They provide users with a taste of "virality" to entice them to stay on the platform. Your first TikTok post will likely garner quite a bit of likes, regardless of how good it is.. assuming you get past the initial moderation queue if that's still a thing. Most users end up chasing the dragon. Oh, there's also a ton of creepy old men who have direct access to children on the app, and I've personally seen (and reported) some really suspect stuff. 40-50 year old men getting 8-10 year old girls to do "duets" with them with sexually suggestive songs. Those videos are posted publicly. TikTok has direct messaging functionality.
Here's the thing though.. they don't want you to know how much information they're collecting on you, and the security implications of all of that data in one place, en masse, are fucking huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can't see what they're doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.
For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare.
Concluding his theory, the Reddit user said, "TikTok is essentially malware that is targeting children. Don't use TikTok. Don't let your friends and family use it."
After reading the above theory, one may certainly be glad of government's decision to ban Tiktok.
Narendra Modi's government on Monday said that it has banned 59 mobile apps "which are prejudicial to sovereignty and integrity of India, defence of India, security of state and public order."
The notice adds that these apps had prosed many concerns including those regarding security and the safety of user data.
"There has been a strong chorus in the public space to take strict action against Apps that harm India's sovereignty as well as the privacy of our citizens. On the basis of these and upon receiving of recent credible inputs that such Apps pose threat to sovereignty and integrity of India, the Government of India has decided to disallow the usage of certain Apps, used in both mobile and non-mobile Internet enabled devices," the notice explained.
