TikTok requests access to devices on local network

uniqueuid 2021-08-16 17:00:11 +0000 UTC [ - ]

Just to add: Scanning networks to gather data seems pretty popular these days - smart tvs have done so, and even the ebay site used to portscan visitors [1].

[edit] And of course, there's WebRTC leaking your local IP - which ublock origin can specifically block [2].

[1] https://www.bleepingcomputer.com/news/security/ebay-port-sca...

[2] https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-l...

swiley 2021-08-16 18:34:43 +0000 UTC [ - ]

That's a clear violation of the CFAA. This crime carries prison time. How come they threw teenagers in prison but not the people responsible for doing it en mass?

na85 2021-08-16 22:16:53 +0000 UTC [ - ]

There are a different set of laws for me and you. Corporations and CEOs play by their own rules.

the_mitsuhiko 2021-08-16 18:56:18 +0000 UTC [ - ]

How is this a violation against the CFAA?

swiley 2021-08-16 19:04:24 +0000 UTC [ - ]

Unauthorized network access? Literally the whole point of the thing.

Hnrobert42 2021-08-16 19:27:40 +0000 UTC [ - ]

I would argue the point was the opposite. It began with a request for authorization.

swiley 2021-08-16 19:37:01 +0000 UTC [ - ]

I don't see how this is any different than walking into a building and telling the concierge you're a maintenance worker.

paulryanrogers 2021-08-16 23:11:49 +0000 UTC [ - ]

Because the IoT devices are invited, EULA and all. You aren't invited just because you walked in.

swiley 2021-08-17 00:09:52 +0000 UTC [ - ]

Most people I know never invited network scanning. They were surprised by a Trojan holding their new TV hostage though (if they even noticed.)

73r7fudhdjduru 2021-08-16 21:53:07 +0000 UTC [ - ]

The illegal part there isn't requesting access it's lying about being a maintenance worker to gain access.

godelski 2021-08-17 17:45:47 +0000 UTC [ - ]

Consent is tricky. Many people are not aware of what they are giving authorization to. That would make it uninformed consent. Add dark patterns in and I think it is easy to say that some people are not only unaware of what they are authorizing, but purposefully being misled.

Let's be real, most people are tech illiterate. If someone can't read a contract and there is no one there to explain it to them, then they are not engaging in informed consent.

Of course we have to ask if this is ethical or not. But let's not boil the conversation down to "we asked, so it is right." One side is arguing that the person didn't give informed consent and the other side is arguing that consent was given simply because a button was pressed.

It's honestly an ethical discussion of if this is right or not.

indymike 2021-08-16 22:05:46 +0000 UTC [ - ]

> It began with a request for authorization.

Yes, by asking someone who doesn't have permission to give that authorization to do so.

2021-08-16 19:12:36 +0000 UTC [ - ]

kayfox 2021-08-16 20:47:37 +0000 UTC [ - ]

What access controls are being bypassed?

sunshineforever 2021-08-17 03:05:04 +0000 UTC [ - ]

Wait, so using a program like wireshark to scan a network is illegal in and of itself??

I thought you had to use the information nefariously for there to be a crime.

How can receiving broadcasts be illegal?

3np 2021-08-18 02:41:53 +0000 UTC [ - ]

Wireshark is passively listening on incoming traffic, so no.

Running tools like nmap have gotten people in trouble though, and it varies by country.

https://nmap.org/book/legal-issues.html

judge2020 2021-08-16 18:40:43 +0000 UTC [ - ]

If it's a clear violation maybe sue them for breaching your network?

swiley 2021-08-16 18:43:58 +0000 UTC [ - ]

I don't even have non-free mobile OSes on my network much less this.

teawrecks 2021-08-16 20:24:06 +0000 UTC [ - ]

Because people blindly accept terms of service.

xvector 2021-08-16 22:21:24 +0000 UTC [ - ]

It's not people's fault that terms of service are intentionally designed to be as long-winded as possible if you want any hope of using a product or service.

godelski 2021-08-17 17:47:16 +0000 UTC [ - ]

Team of lawyers and psychologists vs teach illiterate user. Seems like a fair fight to me.

2021-08-17 04:08:59 +0000 UTC [ - ]

nostrademons 2021-08-16 18:03:34 +0000 UTC [ - ]

Is this separate from mDNS [1]? A lot of smart TVs and PCs increasingly use mDNS to support some fairly handy consumer features, like AirDrop, being able to setup your TV with your phone, network printing/scanning, ChromeCast, whole-home control of lights & other IoT devices, etc.

[1] https://en.wikipedia.org/wiki/Multicast_DNS

uniqueuid 2021-08-16 19:16:03 +0000 UTC [ - ]

The incident I'm referring to was about LG [1]. The report includes network captures, so I'd trust it.

Apparently, some chinese smart TV brands have been doing similar things, but I wouldn't be surprised if most other vendors have caught up and used stealthier techniques.

[edit] Here's the news about those chinese TVs [2] and the original report [3]

[1] https://arstechnica.com/information-technology/2013/11/lg-sm...

[2] https://www.theregister.com/2021/05/04/skyworth_gozen_smart_...

[3] https://www.v2ex.com/t/772523

excitom 2021-08-16 21:26:33 +0000 UTC [ - ]

Small point: LG is a Korean company, not Chinese.

uniqueuid 2021-08-16 21:34:30 +0000 UTC [ - ]

Right, those are two distinct incidents (and years apart).

Sorry if that wasn't clear.

jacquesm 2021-08-16 21:09:47 +0000 UTC [ - ]

Iirc the ebay thing was yet another way to fingerprint you to re-identify fraudulent account creators.

bigiain 2021-08-17 00:43:29 +0000 UTC [ - ]

That might be a justification you could slip past a judge who doesn't understand...

I wonder if I could rob a bank, then if I got caught claim "I was just checking to make sure they had enough money to cover my deposits!"

wyager 2021-08-16 21:08:30 +0000 UTC [ - ]

Many common wifi APs (eg TP-link EAP225) will allow you to create separate wifi networks on different VLANs. You can use this to isolate internet of shit devices onto their own networks where they can’t talk to your other devices, without increasing your hardware costs or causing wifi interference.

You’ll need a router/firewall and an AP that are both VLAN-aware. I personally use an EAP225 and some eBay industrial PC running freebsd.

blacksmith_tb 2021-08-16 21:46:24 +0000 UTC [ - ]

And/or some routers offer 'AP Isolation' or 'Client Isolation' to prevent devices from communicating with each other (I am always glad to see public networks configured this way, but at home it'd be a pain to not be able to shell from one box into another etc.)

hipsterhelpdesk 2021-08-16 17:52:24 +0000 UTC [ - ]

It only “leaks” your ip if you are trying to use webrtc features with a vpn, otherwise web rtc is perfectly fine to use without concern for most people.

uniqueuid 2021-08-16 18:58:27 +0000 UTC [ - ]

Interesting! That's not how I read the ublock origin docs:

"Keep in mind that this feature is to prevent leakage of your non-internet-facing IP adresses. The purpose of this feature is not to hide your current internet-facing IP address -- so be cautious to not misinterpret the results of some WebRTC-local-IP-address-leakage tests found online."

That said, my Firefox 91 and Safari don't leak local IPs regardless of the ublock setting.

Warrants more investigation perhaps.

allo37 2021-08-16 19:40:47 +0000 UTC [ - ]

I believe newer versions of WebRTC use mdns to mask local IPs:

https://bugs.chromium.org/p/chromium/issues/detail?id=878465

uniqueuid 2021-08-16 19:50:15 +0000 UTC [ - ]

Great find! Here's the IETF draft [1], submitted by Apple (which would explain why I'm not seeing leaks on Safari)

[1] https://datatracker.ietf.org/doc/html/draft-mdns-ice-candida...

antioxidant 2021-08-16 16:38:54 +0000 UTC [ - ]

They used to check your clipboard the whole time too.

They use the local network as one of their sensors to identify you (fingerprinting). However they have plenty more (see their privacy policy).

judge2020 2021-08-16 16:46:25 +0000 UTC [ - ]

> They used to check your clipboard the whole time too.

To be fair quite a lot of apps did this to enable deep links/automatically opening certain clipboard links. Every big app has changed this to no longer show the 'pasted from' notification. And it was never shown that they export those clipboard contents to homebase.

colechristensen 2021-08-16 17:40:55 +0000 UTC [ - ]

>it was never shown that they export those clipboard contents to homebase

When it comes to an app gathering data for a company, is anybody really willing to give the app makers the benefit of the doubt? If there is information available, somebody is going to take it and try to squeeze a penny out of it. Not everybody, but when it gives you a competitive advantage it has a tendency to grow.

judge2020 2021-08-16 17:49:44 +0000 UTC [ - ]

The cool thing about phones is that you can MITM yourself and see what apps are sending, assuming they don't certificate pin (which TikTok doesn't). The person that reported this during the beta period didn't find any evidence when doing so.

https://old.reddit.com/r/videos/comments/fxgi06/not_new_news...

duiker101 2021-08-16 17:58:42 +0000 UTC [ - ]

Can you actually still widely do this? Last time I checked on the latest versions of Android apps don't accept user certificates so you can't really do much about any https traffic, which really is the bulk.

jeroenhd 2021-08-16 18:24:20 +0000 UTC [ - ]

You can, on a rooted phone. There's ways to install a CA certificate with root (described in my only popular blog post) but there's also alternatives, like using Frida to disable TLS verification all together.

It's certainly not as easy and reliable as it used to be, but it's still common for security research to use these tactics to see what apps are doing.

judge2020 2021-08-16 18:22:48 +0000 UTC [ - ]

The basis of many enterprise networks is device-installed CAs so I would be thoroughly surprised. iOS at least still allows you to install a custom CA and only a few apps will refuse to work with it, who likely reject connections that aren't secured via a specific CA.

k1rcher 2021-08-16 21:00:19 +0000 UTC [ - ]

From a legitimate reverse engineering/security auditing standpoint, cert pinning is generally very trivial to bypass.

see: Frida, xposed framework (not sure if still relevant)

from 2021-08-16 23:18:02 +0000 UTC [ - ]

There is a way to do it where you recompile the APK to enable trusting user CAs, see https://daksh.github.io/MITM/.

Yizahi 2021-08-17 15:34:54 +0000 UTC [ - ]

There is also another cool feature of moderns phones - updates. Unless a corporation can prove that each and every single release and test version in the past and the future didn't and will not do something, then it is always possible that some versions did this or will be doing in the future.

MichaelGroves 2021-08-16 17:04:51 +0000 UTC [ - ]

"Lots of people do it" should never be considered a legitimate excuse. Trying to use that excuse should get you kicked out of the meeting room.

dudus 2021-08-16 17:39:08 +0000 UTC [ - ]

Everything TikTok is usually linked to malice and espionage from China. If this is a common industry practice at the very least you give it the benefit of the doubt. It doesn't make it ok. It just makes it not automatically linked to international cyber warfare.

smolder 2021-08-16 19:51:51 +0000 UTC [ - ]

The incidents that might qualify as cyber warfare could also just be looked at as the same struggle for power on a different front, compared to economics. It can't be lost on Chinese leaders how valuable it is to the US to have so much money and data flowing through its domestic tech companies. Tech companies can't cross the line into cyber warfare themselves and get a pass on it, but they do play a role in it.

vlunkr 2021-08-16 18:36:16 +0000 UTC [ - ]

I don't think they're trying to say it's a valid excuse, just that there are reasons to check clipboard content that aren't malicious.

hungryhobo 2021-08-16 17:25:30 +0000 UTC [ - ]

why should it get you kicked out of the meeting room? if everyone else is doing it and have a better ux, i'd imagine you'd be kicked out of the meeting roomm if you're not doing it.

blackoil 2021-08-16 18:27:13 +0000 UTC [ - ]

Theoretically maybe, practically we have a proverbs 'No one is fired for buying (IBM|MS|Google|AWS)'

zuhsetaqi 2021-08-16 21:02:22 +0000 UTC [ - ]

"Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ "

— Jeremy Burge (@jeremyburge) June 24, 2020

TikTok wasn’t checking it for link opening …

pizza 2021-08-16 17:05:48 +0000 UTC [ - ]

> Every big app has changed this to no longer show the 'pasted from' notification.

Is that because they stopped checking your clipboard, or because they managed to check in a way that doesn't alert the user?

_fzslm 2021-08-16 17:31:59 +0000 UTC [ - ]

afaik apps can detect patterns on the pasteboard without triggering the notification (i.e. check if the URL is a TikTok URL or not), but they can't actually access the contents without triggering the notification. it's enforced by the pasteboard API on iOS.

so they probably updated their apps to perform this check before doing anything.

rvz 2021-08-16 16:58:31 +0000 UTC [ - ]

> They use the local network as one of their sensors to identify you (fingerprinting).

Well they already disclosed the other ways they are identifying you in [0] but have they disclosed this one that finds other devices on your local network for 'fingerprinting' purposes in their privacy policy?

The worst thing about this is that they haven't disclosed as to why they are specifically doing this. Not even the commenters here know why, since we can rule out AirPlay and Chromecast support as valid reasons to request such permissions.

[0] https://www.tiktok.com/legal/privacy-policy?lang=en

phkahler 2021-08-16 17:51:10 +0000 UTC [ - ]

>> They used to check your clipboard the whole time too.

That's a design error on the UI side. An app should not have read access to the clipboard, it should have the ability to accept data from the clipboard when the user pastes it.

f1refly 2021-08-16 18:38:23 +0000 UTC [ - ]

There's legitamate uses though, of which I was made painfully aware when google crippled the api and kde connect clipboard sync became way less impressive

Spivak 2021-08-16 19:39:37 +0000 UTC [ - ]

The problem is with clipboard access is because apps abuse it not because it's a problem that have read access at all. Google Maps pulling my clipboard which has an address in it as the top suggestion for destinations is a good thing and respect the user's time.

phkahler 2021-08-18 13:38:40 +0000 UTC [ - ]

>> The problem is with clipboard access is because apps abuse it not because it's a problem that have read access at all. Google Maps pulling my clipboard which has an address in it as the top suggestion for destinations is a good thing and respect the user's time.

You can't have it both ways. Malicious apps are going to abuse it. In order to avoid that there needs to be access control at the very least - Google maps could get whitelisted for example.

Having a helpful use-case doesn't make it not a security issue.

dwild 2021-08-16 20:51:24 +0000 UTC [ - ]

> They use the local network as one of their sensors to identify you (fingerprinting).

But why? It's an app... I guess this can allow them to link other people in your household to you, but isn't the wifi network name already available?

_trampeltier 2021-08-16 19:31:31 +0000 UTC [ - ]

Is there a way to check if a website does read your clipboard. I know you have to interact with the site, so they can read it. So in theorie, a website can read your clipboard every time you click on something, is this true?

detaro 2021-08-16 19:40:32 +0000 UTC [ - ]

AFAIK it's not, reading the clipboard requires an explicit "paste" command triggered by the user or an explicitly granted permission.

diebeforei485 2021-08-16 16:39:55 +0000 UTC [ - ]

Some other apps (Signal?) have also done this out of the blue, though they may have since added a UI around this.

Regardless, Apple has done the right thing by putting this behind a permissions box, but the developer should be required to have some sort of explanation string of why they need this.

alerighi 2021-08-16 16:48:43 +0000 UTC [ - ]

That thing makes it annoying for the kind of applications my company does, that needs to communicate with other devices on the local network.

It's annoying because it's not like other permissions, where you can ask the OS to prompt the user, and check if the user granted it or not, but it's some special permission. If the user, by mistake because it doesn't know that it's needed, doesn't give it one time it's impossible to ask again, and the app doesn't have a way to know that the permission is not granted. It's just things that the customer service has to handle, and that is bad.

Sure, right to ask a permission, so make it like a regular permission as the location permission.

t0ps0il 2021-08-16 20:27:47 +0000 UTC [ - ]

> It's annoying because it's not like other permissions

Normally if I want to use a permission, say location, I need to provide a value for given permission in my app's `info.plist` file, and if I don't and the app tries to grab the current location, it crashes with logs yelling at me to provide a description for the location privacy key.

With local network permissions it's different.

I've never had to do any local networking in my career as an iOS dev so downloaded Apple's peer to peer example app (https://developer.apple.com/documentation/network/building_a...) and removed the `Privacy - Local Network Usage Description` key/value pair from the `info.plist` file and ran the app on my device.

I fully expected a crash with a description telling me to add this key but iOS just filled in the missing description with a default value and asked away. I wonder why that permission is treated differently from the rest?

swiley 2021-08-16 18:39:35 +0000 UTC [ - ]

If you're truly not being malicious then open source your app and get it added to the alpine repos so people can run it in ish.

adrr 2021-08-16 17:11:13 +0000 UTC [ - ]

I assume signal is udp hole punching to get around NAT.

ergl 2021-08-16 21:19:23 +0000 UTC [ - ]

Signal uses local networking for the account migration functionality: https://support.signal.org/hc/en-us/articles/360007059752-Ba...

You scan a QR code with one device and it transfers the entire account state to the new phone.

danlugo92 2021-08-16 17:35:53 +0000 UTC [ - ]

What's some good resources on understanding NAT and udp hole punching that explain it in an intuitive manner?

zamadatix 2021-08-16 19:00:27 +0000 UTC [ - ]

The simplest take on the concept is get a 3rd party with a public address to exchange the current port tuples used to connect to it between the 2 clients so the clients can then use this information to connect directly.

Beyond the basic take on it there really isn't an intuitive single explanation because "simple" things like "NAT traversal" quickly turn into "Full-cone NAT to Port-restricted NAT with UPnP behind CG-NAT" individual corner cases endlessly fighting the need to just go to IPv6.

phreack 2021-08-16 17:18:18 +0000 UTC [ - ]

Apple does require a string for location access motivation, hopefully they'll do that for this one as well. Ideally all of them.

the_mitsuhiko 2021-08-16 19:04:04 +0000 UTC [ - ]

For some technical context: this dialog pops up the first time an app attempts to send a packet to a local device. A "common" reason why this happens are actually your own network devices if you're connected on wifi. For instance sending a custom DNS query to the wifi advertised DNS server (if it's the router) will cause that dialog. Same thing happens if you happen to have a router redirect certain resources to itself. The latter typically at this point only happens for non encrypted HTTP traffic and that's basically no longer permitted.

So why it happens exactly would be interesting.

nicce 2021-08-16 21:54:26 +0000 UTC [ - ]

More context, especially resolving link-local DNS names (those ending with local, per RFC 6762) requires local network access. For iOS devices, Apple has summed this pretty well[1]. Yes, if permission required on below:

    Making an outgoing TCP connection — yes

    Listening for and accepting incoming TCP connections — no

    Sending a UDP unicast — yes

    Sending a UDP multicast — yes

    Sending a UDP broadcast — yes

    Receiving an incoming UDP unicast — no

    Receiving an incoming UDP multicast — yes

    Receiving an incoming UDP broadcast — yes

    And finally usage of Bonjour operations.

[1] https://developer.apple.com/forums/thread/663874

yc12340 2021-08-17 06:18:58 +0000 UTC [ - ]

This sounds like it might help against DNS rebinding attacks, — at the cost of breaking interchangeability between DNS names and IP addresses.

Not sure, if such policy is a good idea, especially if the permission prompt automatically appears upon network activity without explicit developer intention. This will simply condition users to click "OK" without understanding what's going on.

kall 2021-08-16 23:22:52 +0000 UTC [ - ]

I‘ve had many apps, even very trustworthy ones, show me this permission prompt when my internet connection was down and the router was directing all requests to an error page. So it‘s possible for this prompt to appear without the app developer doing anything bad. Not giving TikTok much benefit of doubt though.

uniqueuid 2021-08-16 19:13:31 +0000 UTC [ - ]

Thanks for the details!

That opens new questions; for example, what's a "custom" DNS query? One that doesn't use mDNSResponder (or whatever iOS uses right now)?

the_mitsuhiko 2021-08-16 20:05:05 +0000 UTC [ - ]

I am not sure under which circumstances it flags. If you write your own DNS client for sure it will happen, but there seem to be more things that cause this to trigger.

After that dialog was introduced I saw it pop up on stack overflow for some relatively common libraries (for instance with unity) even if they did not attempt to access the local network.

stingraycharles 2021-08-16 19:40:36 +0000 UTC [ - ]

Interesting. I initially denied the permission, but Tiktok seemed to not be able to make any Internet requests. The kind of behavior I would expect if DNS didn’t work anymore.

Maybe it’s just as innocent as this, but OTOH, it’s tiktok we’re talking about.

dangoor 2021-08-16 16:23:14 +0000 UTC [ - ]

Perhaps there's something nefarious here, or perhaps it's just looking for a Chromecast or Apple TV?

Lammy 2021-08-16 16:37:44 +0000 UTC [ - ]

Any discussion of intent is always going to be speculation. All we can think about is what such a thing would be capable of if it were somehow malicious.

The first possibility that comes to my mind would be sniffing Ethernet MAC addresses because it could be done without any sort of device-specific support built in to the app. Assuming your local devices’ manufacturers are following Da Rulez, the first part of their MAC address usually tells you the company, and the second part tends to be individualized/serialized.

That would, for example, let TikTok derive when certain users are together IRL if they both show up scan-adjacent to a unique MAC. Or maybe it could let them derive multiple accounts belonging to a single person if one is used on VPN-only to discuss political or personal topics that person might not want associated with their IRL identity.

giantrobot 2021-08-16 18:54:40 +0000 UTC [ - ]

If I was a state intelligence service I would love TikTok. Especially if it was legally banned in my country so was used almost exclusively by foreigners. One better was if the government had a controlling stake in the company [0] and laws requiring the company to be virtually transparent to demands from state security agencies [1].

Not only does TikTok have a ton of overt data about users but also contemporaneous data like usage patterns and physical location. Then using the app to collect and exfiltrate information about all manner of foreign networks. I can pass off that data to my government run hacking [2] groups [3] as well as regime-favored businesses for some really great market research.

[0] https://finance.yahoo.com/news/bytedance-says-china-unit-hol...

[1] https://en.m.wikipedia.org/wiki/Cybersecurity_Law_of_the_Peo...

[2] https://en.m.wikipedia.org/wiki/PLA_Unit_61398

[3] https://en.m.wikipedia.org/wiki/PLA_Unit_61486

reillyse 2021-08-16 23:14:42 +0000 UTC [ - ]

The only actual issue with this setup for citizens of the US is that US citizens like to be the people with access to the data and doing the spying. What you have described, a state intelligence service with access to loads of user data that they happily use for spying is what the US has normalized. Collecting all this data is par for the course (Snowden exposed that pretty conclusively) and non US citizens have no rights as far as the US is concerned. Are they (china) doing it, probably not, seems like a lot of effort for very little gain I mean you find out that I like puppy videos and mostly stay in my house. It's a fun app though :) - also to the original person's tweet, most of the apps on my iphone pop this up from time to time, so if we are going to accuse TikTok of spying on me we should be accusing Calm and Insight Timer too (to randomly pick two).

giantrobot 2021-08-17 00:44:25 +0000 UTC [ - ]

AFAIK Calm and Insight don't have hundreds of millions of users nor is the CCP on their corporate boards. But with explanations provided by the apps as to why they want network device access they probably shouldn't be trusted.

As for the data collection, TikTok/ByteDance is definitely going to store it. They wouldn't collect it otherwise. To the utility of the data, if they've got MAC addresses of devices on your home network they can tell many of the brands of devices you own. They know when you get a new computer even if you never use TikTok on it. If you launch the app at your office they get the same information about your office network. In aggregate their network scanning will collect vast amounts of data.

The TikTok app is turning every user into a passive network scanner. Even if you want to ignore the CCP's influence on ByteDance I don't think there is any reason to give them the benefit of the doubt about their data collection. They'll sell their users and anyone around them. I have the same problem with Facebook and their damn shadow profiles and covert data collection.

reillyse 2021-08-17 00:58:06 +0000 UTC [ - ]

My point is that this just appears to be xenophobia and is completely hypocritical. Nearly every app on my phone asks to access the local network.It's a thing. It's not unusual in the slightest. The problem seems to be that this company is based in China. And we don't like China. Maybe that is not what you in particular don't like (I get that you don't like FB) but that is the reason why this is a topic conversation at all. So in effect what the people in this thread are saying is that American companies (and by direct link the US gov) are allowed to spy on people, but foreign governments should not be allowed. That seems like a huge double standard. For the record, I personally would prefer no governments were spying on me - but that doesn't seem to be on the table.

e_proxus 2021-08-17 14:44:14 +0000 UTC [ - ]

Nearly every app?! What apps do you actually use? I’ve only ever seen the prompt a few times, and always for pretty obvious reasons (UniFi, Prompt, VLC, etc.)

giantrobot 2021-08-17 19:04:59 +0000 UTC [ - ]

> The problem seems to be that this company is based in China.

You're misrepresenting the situation because you want to frame the whole issue as some xenophobia on my part. The problem is TikTok is a social network with millions of users whose parent company literally has the CCP as a board member and is subject to China's extremely invasive state security laws (requiring warrantless access to corporate data). The app was already an intelligence gold mine and now they've added a vein of platinum.

The only double standard is contained within the strawman you've created. I have the same problem with Facebook or Twitter apps scanning my local network for no reason than to increase their data harvesting. But since TikTok is the subject of the thread I specifically pointed out problems with TikTok. Facebook and Twitter have their own problems, some of them overlap with problems that exist with TikTok.

Neither I or anyone else needs to list the myriad problems with every social network when criticizing any one of them. You're trying to use a tu quoque [0] argument claiming xenophobia and hypocrisy (where none exists) in hopes that distracts from the points being made.

[0] https://en.m.wikipedia.org/wiki/Whataboutism

sam0x17 2021-08-16 16:57:05 +0000 UTC [ - ]

You can also just take the collection of devices typically on the network, hash the MAC addresses all together, and now you have a unique identifier for a household

ALittleLight 2021-08-16 17:31:34 +0000 UTC [ - ]

But devices would join and leave the network in a household - especially phones. Maybe you could have a listening period, e.g. a week, where you build a set of witnessed devices and then hash that for a household id?

vineyardmike 2021-08-16 19:00:38 +0000 UTC [ - ]

has the mac's and use a bloom filter, look for overlaps across time/accounts.

sam0x17 2021-08-17 21:16:33 +0000 UTC [ - ]

I'm overthinking it though. You'd probably get more mileage out of just looking for individual MAC addresses, full stop.

dheera 2021-08-16 20:19:40 +0000 UTC [ - ]

Apple is also complicit in making it incredibly hard to execute an MITM proxy to know what your iOS apps are sending back to their servers.

Being able to MITM and see what your apps and OS are sending back is the first step to real privacy.

rafale 2021-08-16 16:41:03 +0000 UTC [ - ]

Can you send packets to local network if you are using a VPN on ur phone? Sounds like a VPN bug to me.

oefrha 2021-08-16 16:50:02 +0000 UTC [ - ]

Of course you can. Look up VPN routing / split tunneling. It’s not uncommon for corporate VPNs to only route intranet traffic for instance; and LAN is usually whitelisted.

MichaelGroves 2021-08-16 17:08:03 +0000 UTC [ - ]

Besides corporate VPNs, typical consumer VPNs are also set up to allow LAN access. Your average joe-smoe would be annoyed if their network printer stopped working every time they turned on their VPN to watch netflix movies or whatever.

oasisbob 2021-08-16 18:05:24 +0000 UTC [ - ]

IPSEC VPNs (and others) have the remote networks defined in the protocol as part of the security association (SA). The SAs define which networks are available over the tunnel.

Saying "all RFC1918 addresses are available over here" is quite a cocky and obviously broken thing to do, unless you're dealing with a corporate device which is paranoid about leaking traffic to other networks.

oefrha 2021-08-16 17:25:49 +0000 UTC [ - ]

Yes, "LAN is usually whitelisted" in my comment is independent from the corporate split tunneling example.

SllX 2021-08-16 16:32:51 +0000 UTC [ - ]

You no more need Bluetooth permissions to use AirPlay than you do to for AirPods because the OS is deciding the output device per the users instructions[1].

Also: TikTok doesn’t support AirPlay or Chromecast.

[1] Per the user’s instructions on a good day at least.

hatware 2021-08-16 18:49:06 +0000 UTC [ - ]

Trusting companies not to abuse the simple explanation of Chromecast is dead in the water, though. Why on earth would you trust a company _not_ to abuse that?

Maxburn 2021-08-16 16:28:09 +0000 UTC [ - ]

I don't see chromecast or apple tv called out as a capability, and I'm not installing it to find out. I also don't really see the LAN access reasons there either. https://apps.apple.com/us/app/tiktok/id835599320

https://play.google.com/store/apps/details?id=com.ss.android...

Based on the things they do call out as permissions this app is scary.

dehrmann 2021-08-16 16:36:38 +0000 UTC [ - ]

I saw the same message yesterday from Spotify when I tried to use Chromecast. At least it prompted me for the permissions when I took that action, so it was clear why.

zahrc 2021-08-16 18:54:36 +0000 UTC [ - ]

Which is usually only when it appears - when I specifically request the app to do something which requires to scan for local devices.

Tiktok doesn’t support chrome cast (I think)

xfitm3 2021-08-16 16:26:25 +0000 UTC [ - ]

Assuming this is iOS doesn't the native screen sharing capability handle that?

mholm 2021-08-16 16:31:58 +0000 UTC [ - ]

Not chromecast.

My charitable guess is they're adding support for chromecasting behind feature flags/AB testing, but don't yet have it correctly enabled/disabled. There was a lot of uproar over instagram immediately using the microphone/camera constantly, when they actually just always had the API initialized to make swiping to the camera snappier.

danudey 2021-08-16 17:29:21 +0000 UTC [ - ]

That could also explain why they didn't bother to provide in the notification to the user why they're requesting this access: because they weren't intending to request it (yet).

I find the conspiracy theories more compelling, but less likely.

toxik 2021-08-16 18:28:14 +0000 UTC [ - ]

When an app tells you it’s stealing your data, I would say you should believe it.

azinman2 2021-08-16 18:26:55 +0000 UTC [ - ]

If this just start popping up and without an explanation string, my guess is they included some 3rd party SDK that is doing fingerprinting on the local LAN, much like FB SDK's used to do.

Closi 2021-08-16 16:28:18 +0000 UTC [ - ]

Yeah, although I can't think of an immediate use-case considering Tiktok doesn't support streaming to Chromecast or Apple TV.

SavantIdiot 2021-08-16 16:50:12 +0000 UTC [ - ]

If it only connects to multimedia devices, and if my OS lets me know that TikTok is using my multimedia devices, then I'd be OK with it, but I don't TikTok. Like MicroSnitch, which warns you when a mic/camera becomes active (macOS only).

starik36 2021-08-16 18:46:48 +0000 UTC [ - ]

TikTok doesn't have either feature. At least I don't see an obvious way to connect.

mercora 2021-08-16 16:26:42 +0000 UTC [ - ]

it would be a little too obvious if this is done for nefarious reasons by TikTok developers themselves.

mtgx 2021-08-16 16:29:55 +0000 UTC [ - ]

Why too obvious? 99% of people don't pay attention to this stuff. Look at what Facebook has been doing to users for years and years before being caught and blaming it on a bug or becoming way to familiar to Britney's lyrics in "Oops, I did it again."

uniqueuid 2021-08-16 16:48:04 +0000 UTC [ - ]

Microsoft Teams does this as well, purportedly for video calling (!?) Was there ever an explanation why the permissions are needed?

uniqueuid 2021-08-16 16:56:40 +0000 UTC [ - ]

Just did a quick search and found that teams does in fact support some sort of local-only streaming:

https://docs.microsoft.com/en-US/microsoftteams/use-ndi-in-m...

I do trust Microsoft to collect all tracking data that's possible at all, but at least there is also a valid use case here.

It's even somehow plausible that they would require this permission for any kind of video streaming - to make sure all permissions are present before someone wants to start a locally streamed call.

avnigo 2021-08-16 17:17:45 +0000 UTC [ - ]

I assumed it was to gracefully deal with handoff from one device to another while in a meeting since you can start on one device and continue with another, or maybe to share your screen from another device etc. It would be nice to know why exactly certain permissions are requested; sometimes that’s done by telling you what feature it might break if you don’t grant those permissions.

uniqueuid 2021-08-16 17:42:11 +0000 UTC [ - ]

That's a great observation - for handoff it would make much more sense to get the permission beforehand, rather than trying to stop all sorts of a/v and network processes to get the user's ok.

mschuster91 2021-08-16 22:22:24 +0000 UTC [ - ]

It saves Microsoft traffic if people are in the same office building / corporate VPN and can exchange audio/video streams directly vs having to go through a MS-provided STUN/TURN intermediate server.

lloydatkinson 2021-08-16 16:51:47 +0000 UTC [ - ]

For MS I suspect either incompetence or laziness and just checking all the permissions (because a lot of Teams seems poorly thought out and designed by committee, probably an “agile” one too).

As for Tick Tock it’s obviously spyware meant for direct user identification. How anyone can use it when it’s uploading their biometric information (face, voice) to the CCP is beyond stupidity.

po1nter 2021-08-16 16:57:34 +0000 UTC [ - ]

It's TikTok* and do you have any evidence to support what you're saying or you're just pulling this from thin air?

filoleg 2021-08-16 22:21:48 +0000 UTC [ - ]

So far from what I’ve seen, it is mostly along the lines of “they technically can, so I assume they do.”

Even when it comes to someone like me, who is very strongly anti-CCP, it definitely irks me a bit. Mostly because making strong accusations like that without any reasoning other than “they can, so they definitely do it” only makes that position look weaker and more difficult to align with. Why make up those things and accusations, when there are so many other valid points for criticism there? There is a reason for why “the boy who cried wolf” is a very commonly referenced parable.

lloydatkinson 2021-08-17 09:28:04 +0000 UTC [ - ]

Tick Tock, thanks.

andrewmd5 2021-08-16 16:56:17 +0000 UTC [ - ]

It is to support finding devices you can cast to inside the app (like conference calling boxes.)

q-rews 2021-08-16 17:17:34 +0000 UTC [ - ]

Is it TikTok or is it just because of a captive portal on the WiFi?

It happened to me just yesterday: “Why does X require local network access? Ugh.” A minute later “Oh, Y is also requiring network access.”

Yes, I was on a public wifi.

This may be 100% Apple’s fault, everyone here is just commenting on a photo and not confirming that they also saw the message today.

Too 2021-08-16 18:22:47 +0000 UTC [ - ]

I had same thing happen some days ago while rebooting my modem at home after accidentally unplugging it.

All kinds of apps I use regularly, which have absolutely no use for it, started asking for permission to list devices on local network.

donohoe 2021-08-16 18:42:28 +0000 UTC [ - ]

Twitter does it too

https://twitter.com/donohoe/status/1412563187426369537

hokkos 2021-08-16 16:53:46 +0000 UTC [ - ]

I'm pretty sure they use it for targeting, I remember tiktok presenting me video of interest shared by other under the same wifi.

SubiculumCode 2021-08-16 16:59:52 +0000 UTC [ - ]

Very curios coincidence. I watched a little TikTok this morning and found my daughter's account in my feed.

TchoBeer 2021-08-16 20:26:49 +0000 UTC [ - ]

This shouldn't be news, tons of apps do this; I suspect it's for something like Chromecasting, maybe it collects telemetry too?, either way not at all specific to TikTok.

qwerty456127 2021-08-18 08:41:57 +0000 UTC [ - ]

> Chromecasting

IMHO the OS or some common proxy app should take care of this. Yes, Chromecasting is a legitimate case and it's nice of TikTok or any other relevant app to offer such a feature but I don't trust random (let alone Chinese) app vendors to scan my home network.

snapetom 2021-08-16 19:40:55 +0000 UTC [ - ]

Pokemon Go started asking for this back in March with an update. I don't think it was ever figured out why it would want access, and it's certainly not for Chromecast/Roku/AppleTV.

SllX 2021-08-16 21:28:17 +0000 UTC [ - ]

Pokéball Plus support. I mean, I can’t speak to Niantic fingerprinting players because I don’t know if they are, but you do need Bluetooth to use the Pokéball Plus properly. Also I believe you need Bluetooth to work with the Let’s Go Pikachu and Eevee games on the Switch to transfer Pokémon back and forth, but I never did get that to work properly.

snapetom 2021-08-16 21:59:32 +0000 UTC [ - ]

Yeah, but Let's Go and Pokeball were released years ago. Go Plus was released almost Day 1, if I recall. All of those connect via Bluetooth and never required a network. They all still work just fine if you deny PoGo the permission to access devices.

SllX 2021-08-16 22:12:05 +0000 UTC [ - ]

Correct me if I’m wrong, but isn’t this the same dialog that pops up for Bluetooth devices or am I missing something?

I haven’t used my Pokeball Plus since about a month after I bought it, which was basically day or week 1, but if I recall correctly the mandate to ask for permissions only came around after that time frame and I would expect it the next time I pulled it out.

But if it does work without Bluetooth permissions; then that’s cool, or if this is a separate dialog than the Bluetooth permissions dialog, then I’m just wrong which is also fine and I can live with that.

snapetom 2021-08-19 08:56:05 +0000 UTC [ - ]

No, it's definitely different. The Bluetooth permissions come up whenever you pair a new Pokeball/Go Plus/3rd Party Device like Gotcha. It strictly asks if you want to pair a new Bluetooth device.

The network discovery is different. iOS will popup a dialog saying something like, "Pokemon Go wants to discover other devices on your network" or something like that, which is what this story is about. I believe it pops up once when you install and sign up, but then it never asks again.

j45 2021-08-16 20:59:48 +0000 UTC [ - ]

Instagram is requesting access to local devices on the network as well as of yesterday.

wyldfire 2021-08-16 17:16:54 +0000 UTC [ - ]

Many apps need to peer with a very short list of remote nodes. There are only some rare apps that need blanket network access to any other node. Maybe it's time for more permissions constraints to be applied?

prashnts 2021-08-16 18:17:02 +0000 UTC [ - ]

Curiously, I have seen this prompt in apps that did not normally ask for this permission when I was on a captive network without having logged in. No idea why it was prompted, but could be related somehow?

intrasight 2021-08-16 16:44:34 +0000 UTC [ - ]

So just use their web site. Honest question - why do people use apps for such?

finiteseries 2021-08-16 17:39:51 +0000 UTC [ - ]

Because that’s how <insert app> is used. The concept of apps and web sites being separate things, or being different, or preferable to one another isn’t on the radar of 95% of people, it’s a blurry shapeless vagueness the mind glazes over if it’s ever forced into recognizing its existence, and immediately discarded afterwards.

You’re asking a forum of power users/creators, where a loud minority completely unironically still use desktop & laptop computers for activities besides work. The only people on earth less understanding (intentionally or not) of consumer behavior are the Sentinelese.

JadeNB 2021-08-16 18:55:59 +0000 UTC [ - ]

> a loud minority completely unironically still use desktop & laptop computers for activities besides work.

Is using a desktop or laptop for non-work activities ironic somehow?

finiteseries 2021-08-16 19:37:44 +0000 UTC [ - ]

I honestly don’t know what exactly irony means.

unironically = sincerely/earnestly

JadeNB 2021-08-16 20:35:03 +0000 UTC [ - ]

Right; I wasn't playing grammar gotcha. I use my laptop for non-work activities, and I guess I do so sincerely. Do people use their laptops or desktops for non-work activities somehow insincerely?

finiteseries 2021-08-16 22:26:04 +0000 UTC [ - ]

Sure, for example as a last resort when your phone or whatever has died, but the charger is over there, ugh.

mdoms 2021-08-16 18:11:55 +0000 UTC [ - ]

I think it's very unlikely that Tiktok could build an equivalent UX that would work in a browser, including the creators tools. And even if they could - have they done so?

And let's not forget that Apple actively works against this way of working by intentionally gimping their browser capabilities and outright disallowing competing browsers.

mattnewton 2021-08-16 19:06:52 +0000 UTC [ - ]

Because these services usually do not develop their websites to parity with their apps and push users heavily to install apps.

mzs 2021-08-16 18:36:03 +0000 UTC [ - ]

For IG the web site pales in comparison. I don't use the app but I have an account courtesy FB I think and all the recommendations are "Instagram recommended" accounts like pop singers and reality TV stars even after I followed some that weren't such as in real world friends and family. There's no way to discover other interesting material. So I guess it's because the web version can be much worse.

micromacrofoot 2021-08-16 17:12:21 +0000 UTC [ - ]

On mobile they heavily push people to the app... this is the answer to most "just use the website" questions. Reddit mobile has been particularly bad about this lately, by blocking content. Instagram hits you with a login gate after viewing a few photos, etc... all of these companies are pushing their users to the place where they can siphon off the most data, which at the moment are apps.

cblconfederate 2021-08-16 16:59:46 +0000 UTC [ - ]

You mean you don't like being spied on?

abledon 2021-08-16 16:49:35 +0000 UTC [ - ]

This is only the TikTok iOS/Android app right? Not the web app?

throw03172019 2021-08-16 16:59:00 +0000 UTC [ - ]

Yes, iOS app in this specific case.

Dragging-Syrup 2021-08-16 16:32:37 +0000 UTC [ - ]

Straight to the IOT isolation network

moooo99 2021-08-16 16:45:16 +0000 UTC [ - ]

Your phone?

MisterTea 2021-08-16 19:27:01 +0000 UTC [ - ]

I mean if its being hostile to your LAN then why not?

Let the hostile phones, TV's, sonos, toasters, etc live on the IOT network and your laptop, desktop, NAS and whatever else you value live on a your actual LAN.

micromacrofoot 2021-08-16 17:09:05 +0000 UTC [ - ]

Don't forget that TikTok is also currently under investigation by the US secretary of commerce to determine whether or not it's a threat to national security.

Are people getting enough out of the content on TikTok to warrant installing an app from a country that has been outright hostile to the US (from a cybersecurity perspective)?

I've seen some of the most popular TikTok content without ever creating an account.

_user112 2021-08-17 07:01:38 +0000 UTC [ - ]

Uses a TikTok, concerned about network discovery.

So many mentally ill people. Please meditate, and engage in introspection.

TikTok literally, openly says it's an artificial neutral net that games the human brain for attention.

jeffbee 2021-08-16 16:51:33 +0000 UTC [ - ]

There are two ways that the TikTok mobile app can be used to control the app running on a smart TV, android TV, roku, or whatever.

1) The app on the smart tv can connect to a command-and-control network in the cloud, which will make deranged HNers howl in disapproval.

2) The app on the phone can discover local devices it can control, which will make deranged HNers howl in disapproval.

rvz 2021-08-16 16:28:58 +0000 UTC [ - ]

Why does TikTok 'need' access to devices on your local network?

The intention from YouTube is obvious as they use it for Chromecast, but why does TikTok need this particular access? Have they disclosed this usage somewhere?

On top of that and continuing from [0], it seems that it is collecting even more things that you may not even know about [0]. Far worse than the other apps out there.

The purpose? The recommendation algorithm, of course. Otherwise, how else is it supposed to work?

To Downvoters: Lots of commenters here saying that TikTok does not support AirPlay or Chromecast. Since that can be ruled out, what is the intention of this permission and is it disclosed anywhere on why do they need such access?

I'm also assuming that you know why TikTok needs access to devices on your local network? Maybe you can elaborate on this?

[0] https://news.ycombinator.com/item?id=28137000