TikTok Scores 63.1 - Designed to Collect Data with highest Malcore score in Industry
Malcore, by Internet 2.0, will publish analysis results on all popular social media mobile apps. Malcore is an automated analysis tool to scan files and programs to detect malware & assess risk.
The Malcore team at Internet 2.0 have been releasing an industry analysis of social media mobile applications. We have been doing this daily through blog posts. This post is the release of TikTok.
Malcore scored TikTok 63.1. This was the highest (worst) score relative to all other applications we tested. The only score close was VK, the Russian app on 62.7. The industry standard was all other major social media applications scored 34 and below with the average score being 28.8 over 21 applications.
TikTok got this score because it had 9 trackers and a lot of permissions and code severity warnings. One of the biggest flags for us was the presence of the Russian VKontakte SDK.
TikTok Discovered Trackers (SDKs)
Facebook Share
Bolts
AppsFlyer
Google Firebase Analytics
VKontakte SDK
Facebook Analytics
Facebook Login
Pangle
Google CrashLytics
VK is a Russian based app which was banned globally on all IOS (Apple) for 1 month last year over questions about ownership.1
Ukraine banned it in 2017 and it still unable to be accessed by Ukraine. 2
The founder of VK and Telegram, Pavel Durov, accused the lack of independence as “it became increasingly difficult to run the social network after ownership changes put pressure on the company preserving its freedom of speech ethic.”3
VK is basically impossible to access outside of Russia since 2022 as they now require a Russian phone number to access it.
Considering TikTok scored higher than VK this again raised our concerns about TikTok. In 2022 Internet 2.0 published reporting, covered globally, on our concerns about TikTok.4 The below image is the AFR’s summary of our reporting.
We stated it was their word against their source code concerning the data harvesting and privacy concerns. TikTok stated to the AFR5
The TikTok app is not unique in the amount of information it collects, which is less than many popular mobile apps. In line with industry practices, we collect information that users choose to provide to us and information that helps the app function, operate securely, and improve the user experience.
In our opinion this controlled experiment where we conduct the exact same analysis and scoring system across industry reinforces our 2022 report’s conclusions as they are more than double the industry average at 63.1.
For a detailed view of this reverse engineering on TikTok view it directly on Malcore or the blog.
Industry Analysis Results
The social media industry analysis project shows us the relative Malcore risk score for each application. It is a comparative process where the process controls keep the same Malcore scoring algorithm, all are done on Android APKS, and the time of analysis is the same for all applications. We use these controls to baseline the process and help us determine relative risk.
For the graph there is inconsistent public information on active users and downloads per mobile application. We estimated placement by using the downloads on google play store and bracketed by reported monthly active users. We would be happy to adjust this data if applications send us official numbers.
We conducted this project because many clients and readers ask us basic data collection questions about all mobile applications. Because of our product Malcore we are now able to highlight how apps are built and give a relative scoring system for consumers to make decisions with.
Over the course of the project we have noted that
The industry average was 28.8.
Most of the major social media applications scored in a tight group around 34.
There was a large gap between the privacy marketed email applications of Proton and Tunanota with Gmail and Outlook.
Most messaging applications came in under 20 except WhatsApp.
WeChat scored between the messaging and social media applications with 27.8.
In our assessment a score between 10 and 35 are within a normal range for an app to score based on current industry practices. This shows how bad VK and TikTok scored relative to industry.
Of note having looked into SDKs specifically we found it interesting how these larger companies cooperate in the data ecosystem.
VKontakte and Telegram have Huawei Mobile Services and Google SDK
VKontakte also has Facebook and other third parties SDK
Wechat has Wechat, Baidu and Google SDK
TikTok has VKontakte, Facebook and Google SDK
LinkedIn has Facebook, Google and Microsoft SDK
Facebook and Instagram only have Facebook (Meta) SDK
WhatsApp only has Google Analytics SDK
Twitter has Google SDK
We must note this analysis process is not an conclusive code review. It is a static analysis with automated code review using Malcore. A detailed manual source code review, where you manually view app activity during dynamic analysis is considered the most conclusive method to assess risk. A manual code review tends to find a lot more information but costs significant time. Most applications try their best to block dynamic analysis to protect their intellectual property.
All Malcore research is self funded which means we are limited by time. For example our TikTok technical analysis report at Internet 2.0, which included dynamic analysis and manual code review, drew far more conclusive insights into TikTok.
Tutanota = 1.8 (Lowest email score due to very few code warning, 0 trackers and suspicious warning, as well as low permissions)
Discord = 9.6 (Lowest social media score due to very few code and device access warnings)
Zoom = 10.5 (Lowest Video Score, only Google SDK)
ProtonMail = 12.65 (Higher than Tutanota due trackers, suspicious warnings and higher code warning)
Telegram = 12.7 (Analyzed twice and reduced from 17.2, It has Huawei Mobile Services only for Huawei build phones)
Facebook Messenger = 14.05 (Only has Meta Facebook tracking and not connected to Google ecosystem)
Threema Work = 16.1 (Second lowest score for messenger apps, Internet 2.0 preferred messenger app)
Facebook App = 16.55 (One of the lowest social media scores due to very few code warnings, despite that the Facebook app has a high amount of permissions)
Lamchat = 18.35 (Posted by Rory Chapman, Australian Start-up)
Signal Messenger = 21.8 (Third lowest score for messenger apps, Internet 2.0 preferred messenger app)
WhatsApp Messenger = 26.25 (Unlike Meta Facebook WhatsApp has Google Analytics)
WeChat = 27.8 (Slightly higher than WhatsApp, WeChat has 5 trackers in total, including Baidu Maps and WeChat Location)
Gmail = 29.6 (The highest of all the email clients, due to a high amount of permissions)
Reddit = 30.65 (Reddit falls within the average of other social media apps but has 6 total trackers)
LinkedIn = 34.15 (LinkedIn falls within the average score of other social media apps but has a high amount of trackers, with 9 in total)
Snapchat = 34.25 (Snapchat had only 4 trackers but had many permissions)
Twitter = 34.4 (The first in our series of social media apps, Twitter’s score is the result of high permissions)
Instagram = 34.55 (The second highest in our series of social media apps so far, Instagram’s score is the result of 2 suspicious warning, several trackers in the Facebook Ecosystem and a high amount of permissions)
Outlook = 35.9 (Outlook has 7 trackers which accounts for the high score)
Microsoft Teams = 38 (Microsoft teams has 4 trackers but a high amount of permissions)
Viber Messenger = 46.7 (Has 11 trackers which accounts the higher score)
VK.com = 62.7 (The highest of any app so far, VK has a total of 13 trackers and and 28 dangerous permissions)
How the Malcore scoring system works
Scores are assigned by the following
Dangerous permission = 0.25
Suspicious permission = 0.075
High severity warning for code analysis results = 0.15
Severity warning for code analysis results = 0.05
Per tracker or token = 2.5
During code analysis Malcore unzips the APK file and decompiles the compiled .dex files. Malcore runs through each file and uses indicators to determine issues within the code. These code severity warnings are based off Java coding best practices.
Next Malcore parses the AndroidManifest.xml file and determines the device permission requests the app has. These permission levels are graded in severity based on the Android manifest website: https://developer.android.com/reference/android/Manifest.permission.
A tracker is a piece of software with the task to gather information on the person using the application. A tracker can be used to monitor usage and engagement, for example in analytics or advertising. Trackers normally are a legitimate software development kit (SDK) designed to help developers understand how their apps are being used, resolve potential issues and improve their software. Importantly for privacy though there is a large market buying the data collected by these SDKs to improve advertising spend and to better understand user’s behaviour. An example of one of the most sophisticated SDK in the market is Facebook. This post on their developer forum is a good example how how the Facebook SDK works https://developers.facebook.com/community/threads/278044280345820/
Based on this project we have created the 4 most practical steps of how to limit data harvesting for users.
Try Malcore for Free!
First 5 scans are free on registration
https://www.theverge.com/2022/10/18/23410518/apple-vkontakte-russian-apps-sanction-ban-restore-app-store
https://www.kyivpost.com/post/7880
https://techcrunch.com/2014/04/01/founder-pavel-durov-says-hes-stepped-down-as-head-of-russias-top-social-network-vk-com/
https://internet2-0.com/whitepaper/its-their-word-against-their-source-code-tiktok-report/
https://www.afr.com/policy/foreign-affairs/tiktok-s-alarming-excessive-data-collection-revealed-20220714-p5b1mz