大致是送的比较多,还可以远程控制

来源: 2020-07-13 21:04:11 [] [旧帖] [给我悄悄话] 本文已被阅读: 次 (5757 bytes)
回答: 從手機裏偷走data?violinpiano2020-07-13 20:45:19

TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device... well, they're using it.

  • Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

  • Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)

  • Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

  • Whether or not you're rooted/jailbroken

  • Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC

  • They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication

  • The scariest part of all of this is that much of the logging they're doing is remotely configurable, and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you're trying to figure out what they're doing. There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

    On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don't forget about users' real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM'd the application.

https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/fmuko1m/

 

所有跟帖: 

听起来挺危险的一个app -twoboys_mom- 给 twoboys_mom 发送悄悄话 twoboys_mom 的个人群组 (0 bytes) () 07/13/2020 postreply 21:06:19

看起來都是從手機偷你的資料啊 -violinpiano- 给 violinpiano 发送悄悄话 violinpiano 的个人群组 (177 bytes) () 07/13/2020 postreply 21:25:34

加跟帖:

  • 笔名:      密码: 保持登录状态一个月,直到我退出登录。
  • 标题:
  • 内容(可选项): [所见即所得|预览模式] [HTML源代码] [如何上传图片] [怎样发视频] [如何贴音乐]
回到顶部