TikTok - Privacy audit using AppScan
AppScan’s privacy audit tool sounds like a useful tool for developers who want to ensure that their applications are compliant with privacy regulations and respect the privacy of their users. The tool appears to analyze all components of the application and identify any data that may be collected by each component, which can be helpful in identifying potential privacy issues or areas for improvement.
It is also important to note that while privacy audit tools can be helpful, they should not be relied on as the sole means of ensuring privacy compliance. Developers should also take a comprehensive approach to privacy, including implementing privacy policies, obtaining user consent for data collection, and regularly reviewing and updating their privacy practices.
AppScan motivations to audit App Privacy
Starting this study we wanted to answer 3 questions:
- Did TikTok declare everything correctly?
- Is it possible to discover the data collected by an App without any particular knowledge about the service?
Apple Declared App Privacy
The App Privacy section in the App Store requires developers to disclose their app's data collection practices related to personal information and sensitive information. Therefore, to create a comprehensive App Privacy declaration, it is important to have a clear understanding of what data the app collects, how it uses that data, and with whom it shares that data.
If you are a developer looking to create an App Privacy declaration for your app, I would recommend reviewing the Apple Developer guidelines on App Privacy and considering using an automated tool like the App Privacy Scan to identify and analyze the data collection practices of your app. This can help you to create a comprehensive and accurate App Privacy declaration that meets Apple's requirements.
AppStore - guidelines - privacy
AppStore - AppPrivacy - details
Revere engineering tool
The App Privacy declaration is an important component of an iOS app that describes its data collection and usage practices related to personal and sensitive information. However, sometimes the Privacy declaration is not filled by the developer, or may not accurately reflect the app's true privacy practices.
To help evaluate the accuracy of an app's Privacy declaration, tools such as the AppScan Privacy can be used. The AppScan Privacy tool collects and aggregates data on which components are trying to access each type of data, including: - Your app/service directly: Your app's code calls and uses the data directly. - Your app/service indirectly: Your app uses a third-party library to call and use the data. - A third party (without your approval): A third party is able to call and use the data without your approval.
The AppScan Privacy tool inspects all aspects of the app, including its files, frameworks, and Info.plist information, to identify any potential privacy issues and help developers create a more accurate and comprehensive App Privacy declaration.
TikTok - AppScan Privacy audit - Data Used to Track You
User ID : Such as screen name, handle, account ID, assigned user ID, customer number, or other user- or account-level ID that can be used to identify a particular user or account Device ID : Such as the device’s advertising identifier, or other device-level ID
- NSUserTrackingUsageDescription in the Info.plist
- AdSupport library in MusicallyCore.framework
- AppTrackingTransparency library MusicallyCore.framework
TikTok - Privacy - Data Linked to You
Purchase History : An account’s or individual’s purchases or purchase tendencies
- StoreKit in MusicallyCore.framework
- Entitlement com.apple.developer.storekit.request-data in the TikTok executable
- Entitlement com.apple.developer.in-app-payments in the TikTok executable
Precise Location : Information that describes the location of a user or device with the same or greater resolution as a latitude and longitude with three or more decimal places Coarse Location : Information that describes the location of a user or device with lower resolution than a latitude and longitude with three or more decimal places, such as Approximate Location Services
- NSLocationWhenInUseUsageDescription in the Info.plist
- NSLocationDefaultAccuracyReduced in the Info.plist
- Library libswiftCoreLocation in MusicallyCore.framework
- Library CoreLocation in MusicallyCore.framework
Contacts : Such as a list of contacts in the user’s phone, address book, or social graph
- NSContactsUsageDescription in the Info.plist
- Library ContactsUI in MusicallyCore.framework
- Library Contacts in MusicallyCore.framework
Photos or Videos : The user’s photos or videos
Audio Data : The user’s voice or sound recordings
Gameplay Content : Such as saved games, multiplayer matching or gameplay logic, or user-generated content in-game
Customer Support : Data generated by the user during a customer support request
Other User Content : Any other user-generated content
- NSPhotoLibraryUsageDescription in the Info.plist
- NSPhotoLibraryAddUsageDescription in the Info.plist
- NSCameraUsageDescription in the Info.plist
- NSMicrophoneUsageDescription in the Info.plist
- NSCalendarsUsageDescription in the Info.plist
- Library Photos in MusicallyCore.framework
- Library PhotosUI in MusicallyCore.framework
- Library AssetsLibrary in MusicallyCore.framework
- Library ReplayKit in MusicallyCore.framework
- Library ReplayKit in VolcEngineRTC.framework
- App Extensions com.apple.broadcast-services-upload in extension com.apple.broadcast-services-upload
Browsing History : Information about content the user has viewed that is not part of the app, such as websites
- Library WebKit in MusicallyCore.framework
- Library libswiftWebKit in MusicallyCore.framework
- IESWebViewMonitor.bundle in the App Bundle
Product Interaction : Such as app launches, taps, clicks, scrolling information, music listening data, video views, saved place in a game, video, or song, or other information about how the user interacts with the app Advertising Data : Such as information about the advertisements the user has seen Other Usage Data : Any other data about user activity in the app
- FirebaseAnalytics in MusicallyCore.framework
- GoogleAppMeasurement in MusicallyCore.framework
- GADApplicationIdentifier in the Info.plist
- NSAdvertisingAttributionReportEndpoint in the Info.plist
Crash Data : Such as crash logs Performance Data : Such as launch time, hang rate, or energy use Other Diagnostic Data : Any other data collected for the purposes of measuring technical diagnostics related to the app
- MetricKit in MusicallyCore.framework
TikTok - Apple declared Privacy Vs AppScan
AppScan Privacy Audit of TikTok
AppScan was able to determine the main information related to privacy 8 on 11 declared elements has been detected. AppScan reveal more explanations about which components may try to collect the data. The report is more accurate than the Card presented on the AppStore App page.
Some informations are declared by TikTok but not detected :
- Data Used to Track You - Contact Info
- Data Linked to You - Financial Info
- Data Linked to You - Search History
Those informations, for the moment are too complex to evaluate using a static analysis and and really like to an internal organization of the data management.
AppScan Privacy Audit results
Yes! AppScan is able to identify each components trying to collect data. The component can be under your control or it can be a Third party library (Open Source or a black box)
Do you want to check any Apps?
AppScan is an essential solution for anyone who is serious about developing secure, high-quality iOS apps. With its advanced scanning capabilities, comprehensive reports, and easy-to-use interface, AppScan is the ideal choice for developers who want to ensure that their apps are secure and reliable.Scan your Apps