Since my first article, TikTok: Logs, Logs, Logs, a lot of things happened.
- Microsoft confirmed it was pursuing a deal to buy TikTok’s operations in the US, Australia, Canada, and New Zealand.
- Trump was supposed to ban TikTok on August 2nd, then he threatened that TikTok will ‘close down’ on September 15th unless an American company buys it. Finally, he signed an executive order banning TikTok and WeChat from operating in 45 days if they are not sold by their Chinese parent companies.
- Trump then changed his mind and gave TikTok a new deadline: 90 days instead of 45.
- WSJ revealed TikTok was tracking the MAC address of user devices without their consent until November 2019.
It’s time to continue our journey. Let’s stick to the facts to better understand what TikTok is really doing under the hood.
- TikTok offers plethora of features to their users thanks to its millions of lines worth of code. As such, a single article can not cover a question as broad and nebulous as “does TikTok pose a threat to US national security?”. That’s why I’ll cover the matter over several articles all focused on specific subjects.
- My name is Baptiste Robert, I’m a French security researcher. I’ve been analysing mobile apps for years. You can find my public work at fs0c131y.com/press and my stupid tweets at twitter.com/fs0c131y.
- My goal here is to be totally transparent. I will share everything you need to verify what I’ve written in this article.
- If you’d like to skip the technical details, a TL;DR is available at the end of the article.
In my previous article, TikTok: Logs, Logs, Logs, I decrypted the content of the app_log network requests made by TikTok.
After decrypting, a question remained:
Event logging. I’d need to take a closer look at what they consider to be “events” but as far as I can tell, it seems to be a pretty standard analytics solution.
In this article, I will answer the following question: What is the definition of an app log for TikTok?
II) What is a TikTok app log?
Our starting point is the app_log keyword. In order to understand how TikTok handles the app logs, I decompiled the app and analysed the source code. I quickly found the definition of the ss_app_log.db in the DBHelper class.
This is interesting, TikTok uses a local database to store the app logs. I inspected my test phone to confirm.
As you can see, TikTok creates a lot of databases. If you open the ss_app_log.db, you can find some data in the event tables.
But let’s go back to the code and the DBHelper class defined in the com.ss.android.common.applog package. Obviously, we are interested in understanding what TikTok inserts in ss_app_log.db
The signatures of these methods give us 3 new objects: LogEvent, LogPage, LogSession
That answers our initial question! A TikTok app log can be a LogEvent, LogPage or LogSession.
III) What is (really) inside these app logs?
Great, I found definitions of the different log objects, but what is TikTok really sending?
It’s time to use Frida to intercept the 6 insert methods of the DBHelper class
Thanks to this method, I obtained the details of all the app logs created by TikTok when I used the app. Here an example of a Log Session, a Log Event, a Log and a Misc Log.
I also published a full list of app logs created by TikTok during an app launch: https://gist.github.com/fs0c131y/b4ef278e8863c636964793e1b27f889d
Do these logs contain personal data? Not really. The most you can find is data about your device (os, os version, device model, device brand, display density, …) but that’s pretty much it.
In this article, I define TikTok app logs. I found definitions for the different types of logs and observed them being created dynamically. After analysis, it appears that app logs do not contain personal data.
With these 2 articles we have a good overview of the TikTok app logs. The next article will be dedicated to the WSJ revelation and how TikTok used a well known trick on Android to obtain the MAC address of the user’s devices.
Don’t forget to follow me on Twitter and if you have questions don’t hesitate to sent me a message on Twitter or by email at firstname.lastname@example.org