TikTok: Logs, Logs, Logs

栏目: IT技术 · 发布时间: 4年前

TikTok: Logs, Logs , Logs

Aug 3 ·6min read

TikTok: Logs, Logs, Logs

We are in 2020 and the US president is about to ban TikTok, a video-sharing social network mobile app, because “it poses a risk to US national security”. At the same time, Microsoft started discussions on a potential TikTok purchase in the United States. TikTok has received a lot of media coverage lately, but how much of it is factual? This is what I will try to answer in this series of articles. Each article will answer a very specific question. It is time to put the facts back on the table.

Disclaimer

  • TikTok offers plethora of features to their users thanks to its million of lines long code. As such, a single article can not cover a question as broad and vague as “does TikTok poses a threat to US national security?”. That’s why I’ll cover the matter over several articles all focused on specific subjects..
  • My name is Baptiste Robert, I’m a French security researcher. I’ve been analysing mobile apps for years. You can find my public work at fs0c131y.com/press and my stupid tweets at twitter.com/fs0c131y .
  • My goal here is to be totally transparent. I will share everything you need to double check what I wrote in this article.
  • If you’d like to skip the technical details, a TL;DR is available at the end of the article.

I) Introduction

On August 2, 2020, I started to analyse TikTok and tweeted about it.

Few minutes after this tweet, one of my followers commented.

We discussed by private messages and he explained me the issue. He listened to the network requests made by TikTok and noticed that a request was made every 2 minutes. However, the content was encrypted and he was unable to decrypt it.

Sounds like a good starting point for our journey:

  • What does TikTok regularly send?
  • When is it sent?
  • Where is it sent?
  • How the content is encrypted?

II) What does TikTok regularly send?

When debugging something, 90% of the work is being able to reproduce it. So, first I tried to reproduce the issue.

  1. I downloaded the latest version of TikTok from the French PlayStore
  2. I set up Burp Suite to intercept the network requests made by my phone
  3. I used a Frida script to bypass the SSL pinning implemented in the app and started TikTok

TikTok: Logs, Logs, Logs

Bingo! Every 5 minutes, TikTok sent a network request with an encrypted content.

II.1) The /service/2/app_log/ endpoint

Let’s focus on the requests made to the endpoint /service/2/app_log/.

TikTok: Logs, Logs, Logs

Parameters

Before studying its encrypted content, we can already see that this request contains a huge amount of parameters.

TikTok: Logs, Logs, Logs

Most of the names speak for themselves. I can see 3 types of parameters:

  • Info about the device: device_id, device_type, device_brand, os_api, os_version, …
  • Info about the app: app_type, app_language, version_code, version_name, build_number, …
  • Info about the user: current_region, locale, region

While that might sound surprising to you, it really isn’t. Such practice is pretty standard and you can be assured that most apps you use have the same data-retrieval process.

Encrypted content

Time to look at the encrypted content! This is the fun part :wink:. I decompiled the app and searched for “app_log”. I immediately found the method sendEncryptLog in the class com.ss.android.common.applog.NetUtil

TikTok: Logs, Logs, Logs

You don’t read code? That’s ok, don’t worry. Look at the method signature. It took 4 parameters. arg4 is the url, arg5 is the content of the request (non encrypted) and the rest we don’t care for the moment.

Now, I can use Frida to intercept the call of this method and see the content of the request before encryption.

TikTok: Logs, Logs, Logs

I used my small TTencryptedLog method and I got the following output

TikTok: Logs, Logs, Logs

If we go through the content of the JSON file, we can see pretty standard data.

  • Like before, a lot of info about the device
  • When was the app last launched
  • Events logging. I’d need to take a closer look at what they consider to be “events” but as far as I can tell, it seems to be a pretty standard analytics solution.

III) When is it sent?

Answer to this question is equal to answer to when the method sendEncryptLog is called. By pressing the key X with JEB , you can easily get all the cross references.

TikTok: Logs, Logs, Logs

We can see 4 methods:

  • doUpdateConfig
  • sendTimelyEvent
  • sendLog
  • a unknown method in the deviceRegister package

The sendEncryptLog method is used to send different type of JSON. So, I cleared the data of TikTok and I restarted everything from scratch. I managed to catch the following JSONs

Content of the request when the device is register

TikTok: Logs, Logs, Logs

Content of the request when the TikTok modify the log settings

TikTok: Logs, Logs, Logs

Again, the field names speak for themselves. I cannot see anything suspicious or specific to TikTok in these JSONs.

IV) Where is it sent?

As you saw in the previous screenshots, the requests are sent to log16-normal-c-useast1a.tiktokv.com. Funny to see that I’m sitting in Europe and my logs are sent to a us-east enpoint… TikTok is an app used worldwide, they probably used several endpoint to upload the logs.

After digging in the code we can find the URLConfig class

TikTok: Logs, Logs, Logs

There are 7 url configurations: China, America, America HTTP, SIG AWS, SIG ALIYUN, Musically, Mussically HTTP. Again, it seems weird to not have an European url configuration but ok.

V) How the content is encrypted?

Do you remember the sendEncryptLog method?

TikTok: Logs, Logs, Logs

The encryption is happening at this line: v5 = b.a(v5, v5. length );

TikTok: Logs, Logs, Logs

EncryptorUtil is where the fun is

TikTok: Logs, Logs, Logs

Bingo! The encryption is done in a native library. All the native library used by TikTok are located in the folder /data/data/com.zhiliaoapp.musically/app_librarian/ in your phone. I’ll stop there for now. As for how TikTok is actually encrypting the data, that deserves its own article. And, well, it’s 12pm and I’m quite hungry.

TLDR

In this article, I tried to understand what data does TikTok regularly send back to its servers. I decrypted the content of the requests and analysed it. As far as we can see, in its current state, TikTok doesn’t have a suspicious behavior and is not exfiltrating unusual data. Getting data about the user device is quite common in the mobile world and we would obtain similar results with Facebook, Snapchat, Instagram and others.

I hope you enjoy this article. Others will follow. Don’t forget to follow me on Twitter and if you have questions don’t hesitate to sent me a message on Twitter or by email at fs0c131y@protonmail.com


以上所述就是小编给大家介绍的《TikTok: Logs, Logs, Logs》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

科学计算导论

科学计算导论

希思 / 清华大学出版社 / 2005-10 / 48.00元

本书全面地介绍了科学计算中解各种主要问题的数值方法,包括线性和非线性方程、最小二乘法、特征值、最优化、插值、积分、常微分方程和偏微分方程、快速傅里叶变换和随机数生成。 本书的特点是: 以使用算法的读者为对象,重点讲授算法背后的思想和原理,而不是算法的详细分析。 强调敏感性和病态性等概念,对同一问题的不同算法进行比较和评价,提高读者对算法的鉴赏能力。 对每类......一起来看看 《科学计算导论》 这本书的介绍吧!

RGB转16进制工具
RGB转16进制工具

RGB HEX 互转工具

SHA 加密
SHA 加密

SHA 加密工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换