"TikTok Engaging in Excessive Data Collection"

Security researchers at Internet 2.0 discovered that TikTok has been engaging in excessive data collection and connecting to mainland China-based infrastructure.  The researchers analyzed the source code of TikTok mobile applications Android 25.1.3 as well as IOS 25.1.1 and carried out static and dynamic testing between 1 July to 12 July 2022 that focused on device and user data collection.  The researchers identified multiple instances of unwarranted data harvesting, including device mapping, hourly monitoring of device location, persistent calendar access, continuous requests for access to contacts, and device information.  The application has over 1 billion active users globally as of September 2021.  The researchers stated that TikTok IOS 25.1.1 has a server connection to mainland China which the researchers believe is run by Chinese cybersecurity and data company Guizhou Baishan Cloud Technology Co., Ltd.  Despite TikTok asserting that user data is stored in Singapore and the US, the report found evidence of "many subdomains in the IOS application resolving all around the world."  This included Sydney, Adelaide, and Melbourne (Australia), Utama and Jakarta (Indonesia), Kuala Lumpur (Malaysia), and Baishan (China).  The researcher's analysis could not confidently determine "the purpose for the China Server connection or where user data is stored." The researchers concluded that for TikTok to operate effectively, most of the observed access and device data collection is unnecessary, with the application able to run successfully "without any of this data being gathered." The researchers stated that the sole purpose this information is being collected is for data harvesting.  The researchers also noted in the report the application's persistent behavior of asking for users to reverse their preference decisions to access sought-after data.   
 

Infosecurity reports: "TikTok Engaging in Excessive Data Collection"