TikTok - Privacy audit using AppScan

AppScan’s privacy audit tool sounds like a useful tool for developers who want to ensure that their applications are compliant with privacy regulations and respect the privacy of their users. The tool appears to analyze all components of the application and identify any data that may be collected by each component, which can be helpful in identifying potential privacy issues or areas for improvement.

It is also important to note that while privacy audit tools can be helpful, they should not be relied on as the sole means of ensuring privacy compliance. Developers should also take a comprehensive approach to privacy, including implementing privacy policies, obtaining user consent for data collection, and regularly reviewing and updating their privacy practices.

AppScan motivations to audit App Privacy

Starting this study we wanted to answer 3 questions:

• Did TikTok declare everything correctly?
• Is it possible to discover the data collected by an App without any particular knowledge about the service?
• Adding an external library to your App may require changes to your privacy policy?

Apple Declared App Privacy

The App Privacy section in the App Store requires developers to disclose their app's data collection practices related to personal information and sensitive information. Therefore, to create a comprehensive App Privacy declaration, it is important to have a clear understanding of what data the app collects, how it uses that data, and with whom it shares that data.

If you are a developer looking to create an App Privacy declaration for your app, I would recommend reviewing the Apple Developer guidelines on App Privacy and considering using an automated tool like the App Privacy Scan to identify and analyze the data collection practices of your app. This can help you to create a comprehensive and accurate App Privacy declaration that meets Apple's requirements.

AppStore - guidelines - privacy

AppStore - AppPrivacy - details

Revere engineering tool

The App Privacy declaration is an important component of an iOS app that describes its data collection and usage practices related to personal and sensitive information. However, sometimes the Privacy declaration is not filled by the developer, or may not accurately reflect the app's true privacy practices.

To help evaluate the accuracy of an app's Privacy declaration, tools such as the AppScan Privacy can be used. The AppScan Privacy tool collects and aggregates data on which components are trying to access each type of data, including: - Your app/service directly: Your app's code calls and uses the data directly. - Your app/service indirectly: Your app uses a third-party library to call and use the data. - A third party (without your approval): A third party is able to call and use the data without your approval.

The AppScan Privacy tool inspects all aspects of the app, including its files, frameworks, and Info.plist information, to identify any potential privacy issues and help developers create a more accurate and comprehensive App Privacy declaration.

TikTok - AppScan Privacy audit - Data Used to Track You

Identifiers

User ID : Such as screen name, handle, account ID, assigned user ID, customer number, or other user- or account-level ID that can be used to identify a particular user or account Device ID : Such as the device’s advertising identifier, or other device-level ID

TikTok - Privacy - Data Linked to You

Purchases

Purchase History : An account’s or individual’s purchases or purchase tendencies

Location

Precise Location : Information that describes the location of a user or device with the same or greater resolution as a latitude and longitude with three or more decimal places Coarse Location : Information that describes the location of a user or device with lower resolution than a latitude and longitude with three or more decimal places, such as Approximate Location Services

Contacts

Contacts : Such as a list of contacts in the user’s phone, address book, or social graph

User Content

Photos or Videos : The user’s photos or videos
Audio Data : The user’s voice or sound recordings
Gameplay Content : Such as saved games, multiplayer matching or gameplay logic, or user-generated content in-game
Customer Support : Data generated by the user during a customer support request
Other User Content : Any other user-generated content

Browsing History

Browsing History : Information about content the user has viewed that is not part of the app, such as websites

Usage Data

Product Interaction : Such as app launches, taps, clicks, scrolling information, music listening data, video views, saved place in a game, video, or song, or other information about how the user interacts with the app Advertising Data : Such as information about the advertisements the user has seen Other Usage Data : Any other data about user activity in the app

Diagnostics

Crash Data : Such as crash logs Performance Data : Such as launch time, hang rate, or energy use Other Diagnostic Data : Any other data collected for the purposes of measuring technical diagnostics related to the app

TikTok - Apple declared Privacy Vs AppScan

TikTok App Privacy

AppScan Privacy Audit of TikTok

AppScan was able to determine the main information related to privacy 8 on 11 declared elements has been detected. AppScan reveal more explanations about which components may try to collect the data. The report is more accurate than the Card presented on the AppStore App page.

Some informations are declared by TikTok but not detected :

• Data Used to Track You - Contact Info
• Data Linked to You - Financial Info
• Data Linked to You - Search History

Those informations, for the moment are too complex to evaluate using a static analysis and and really like to an internal organization of the data management.

AppScan Privacy Audit results

Yes! AppScan is able to challenge the Privacy Policy of any App. The next step for AppScan is to compare this with the declared Privay Policy on your website.

Yes! AppScan is able to identify each components trying to collect data. The component can be under your control or it can be a Third party library (Open Source or a black box)