Just to add: Scanning networks to gather data seems pretty popular these days - smart tvs have done so, and even the ebay site used to portscan visitors [1].
[edit] And of course, there's WebRTC leaking your local IP - which ublock origin can specifically block [2].
That's a clear violation of the CFAA. This crime carries prison time. How come they threw teenagers in prison but not the people responsible for doing it en mass?
Consent is tricky. Many people are not aware of what they are giving authorization to. That would make it uninformed consent. Add dark patterns in and I think it is easy to say that some people are not only unaware of what they are authorizing, but purposefully being misled.
Let's be real, most people are tech illiterate. If someone can't read a contract and there is no one there to explain it to them, then they are not engaging in informed consent.
Of course we have to ask if this is ethical or not. But let's not boil the conversation down to "we asked, so it is right." One side is arguing that the person didn't give informed consent and the other side is arguing that consent was given simply because a button was pressed.
It's honestly an ethical discussion of if this is right or not.
It's not people's fault that terms of service are intentionally designed to be as long-winded as possible if you want any hope of using a product or service.
Is this separate from mDNS [1]? A lot of smart TVs and PCs increasingly use mDNS to support some fairly handy consumer features, like AirDrop, being able to setup your TV with your phone, network printing/scanning, ChromeCast, whole-home control of lights & other IoT devices, etc.
The incident I'm referring to was about LG [1]. The report includes network captures, so I'd trust it.
Apparently, some chinese smart TV brands have been doing similar things, but I wouldn't be surprised if most other vendors have caught up and used stealthier techniques.
[edit] Here's the news about those chinese TVs [2] and the original report [3]
Many common wifi APs (eg TP-link EAP225) will allow you to create separate wifi networks on different VLANs. You can use this to isolate internet of shit devices onto their own networks where they can’t talk to your other devices, without increasing your hardware costs or causing wifi interference.
You’ll need a router/firewall and an AP that are both VLAN-aware. I personally use an EAP225 and some eBay industrial PC running freebsd.
And/or some routers offer 'AP Isolation' or 'Client Isolation' to prevent devices from communicating with each other (I am always glad to see public networks configured this way, but at home it'd be a pain to not be able to shell from one box into another etc.)
It only “leaks” your ip if you are trying to use webrtc features with a vpn, otherwise web rtc is perfectly fine to use without concern for most people.
Interesting! That's not how I read the ublock origin docs:
"Keep in mind that this feature is to prevent leakage of your non-internet-facing IP adresses. The purpose of this feature is not to hide your current internet-facing IP address -- so be cautious to not misinterpret the results of some WebRTC-local-IP-address-leakage tests found online."
That said, my Firefox 91 and Safari don't leak local IPs regardless of the ublock setting.
> They used to check your clipboard the whole time too.
To be fair quite a lot of apps did this to enable deep links/automatically opening certain clipboard links. Every big app has changed this to no longer show the 'pasted from' notification. And it was never shown that they export those clipboard contents to homebase.
>it was never shown that they export those clipboard contents to homebase
When it comes to an app gathering data for a company, is anybody really willing to give the app makers the benefit of the doubt? If there is information available, somebody is going to take it and try to squeeze a penny out of it. Not everybody, but when it gives you a competitive advantage it has a tendency to grow.
The cool thing about phones is that you can MITM yourself and see what apps are sending, assuming they don't certificate pin (which TikTok doesn't). The person that reported this during the beta period didn't find any evidence when doing so.
Can you actually still widely do this? Last time I checked on the latest versions of Android apps don't accept user certificates so you can't really do much about any https traffic, which really is the bulk.
You can, on a rooted phone. There's ways to install a CA certificate with root (described in my only popular blog post) but there's also alternatives, like using Frida to disable TLS verification all together.
It's certainly not as easy and reliable as it used to be, but it's still common for security research to use these tactics to see what apps are doing.
The basis of many enterprise networks is device-installed CAs so I would be thoroughly surprised. iOS at least still allows you to install a custom CA and only a few apps will refuse to work with it, who likely reject connections that aren't secured via a specific CA.
There is also another cool feature of moderns phones - updates. Unless a corporation can prove that each and every single release and test version in the past and the future didn't and will not do something, then it is always possible that some versions did this or will be doing in the future.
"Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ "
afaik apps can detect patterns on the pasteboard without triggering the notification (i.e. check if the URL is a TikTok URL or not), but they can't actually access the contents without triggering the notification. it's enforced by the pasteboard API on iOS.
so they probably updated their apps to perform this check before doing anything.
Everything TikTok is usually linked to malice and espionage from China. If this is a common industry practice at the very least you give it the benefit of the doubt. It doesn't make it ok. It just makes it not automatically linked to international cyber warfare.
The incidents that might qualify as cyber warfare could also just be looked at as the same struggle for power on a different front, compared to economics. It can't be lost on Chinese leaders how valuable it is to the US to have so much money and data flowing through its domestic tech companies. Tech companies can't cross the line into cyber warfare themselves and get a pass on it, but they do play a role in it.
why should it get you kicked out of the meeting room? if everyone else is doing it and have a better ux, i'd imagine you'd be kicked out of the meeting roomm if you're not doing it.
> They use the local network as one of their sensors to identify you (fingerprinting).
Well they already disclosed the other ways they are identifying you in [0] but have they disclosed this one that finds other devices on your local network for 'fingerprinting' purposes in their privacy policy?
The worst thing about this is that they haven't disclosed as to why they are specifically doing this. Not even the commenters here know why, since we can rule out AirPlay and Chromecast support as valid reasons to request such permissions.
>> They used to check your clipboard the whole time too.
That's a design error on the UI side. An app should not have read access to the clipboard, it should have the ability to accept data from the clipboard when the user pastes it.
There's legitamate uses though, of which I was made painfully aware when google crippled the api and kde connect clipboard sync became way less impressive
The problem is with clipboard access is because apps abuse it not because it's a problem that have read access at all. Google Maps pulling my clipboard which has an address in it as the top suggestion for destinations is a good thing and respect the user's time.
>> The problem is with clipboard access is because apps abuse it not because it's a problem that have read access at all. Google Maps pulling my clipboard which has an address in it as the top suggestion for destinations is a good thing and respect the user's time.
You can't have it both ways. Malicious apps are going to abuse it. In order to avoid that there needs to be access control at the very least - Google maps could get whitelisted for example.
Having a helpful use-case doesn't make it not a security issue.
Is there a way to check if a website does read your clipboard. I know you have to interact with the site, so they can read it. So in theorie, a website can read your clipboard every time you click on something, is this true?
Some other apps (Signal?) have also done this out of the blue, though they may have since added a UI around this.
Regardless, Apple has done the right thing by putting this behind a permissions box, but the developer should be required to have some sort of explanation string of why they need this.
That thing makes it annoying for the kind of applications my company does, that needs to communicate with other devices on the local network.
It's annoying because it's not like other permissions, where you can ask the OS to prompt the user, and check if the user granted it or not, but it's some special permission. If the user, by mistake because it doesn't know that it's needed, doesn't give it one time it's impossible to ask again, and the app doesn't have a way to know that the permission is not granted. It's just things that the customer service has to handle, and that is bad.
Sure, right to ask a permission, so make it like a regular permission as the location permission.
> It's annoying because it's not like other permissions
Normally if I want to use a permission, say location, I need to provide a value for given permission in my app's `info.plist` file, and if I don't and the app tries to grab the current location, it crashes with logs yelling at me to provide a description for the location privacy key.
With local network permissions it's different.
I've never had to do any local networking in my career as an iOS dev so downloaded Apple's peer to peer example app (https://developer.apple.com/documentation/network/building_a...) and removed the `Privacy - Local Network Usage Description` key/value pair from the `info.plist` file and ran the app on my device.
I fully expected a crash with a description telling me to add this key but iOS just filled in the missing description with a default value and asked away. I wonder why that permission is treated differently from the rest?
Probably because they introduced it afterwards, and thus to not break compatibility with all other apps they tried to make it transparent to the developer. Except it's not.
I get that Apple is going into the direction of forbidding local LAN communication because they want you to implement Homekit protocol in the hardware, except that is a pain, requires certification of the hardware and requires a physical chip inside the hardware.
The simplest take on the concept is get a 3rd party with a public address to exchange the current port tuples used to connect to it between the 2 clients so the clients can then use this information to connect directly.
Beyond the basic take on it there really isn't an intuitive single explanation because "simple" things like "NAT traversal" quickly turn into "Full-cone NAT to Port-restricted NAT with UPnP behind CG-NAT" individual corner cases endlessly fighting the need to just go to IPv6.
For some technical context: this dialog pops up the first time an app attempts to send a packet to a local device. A "common" reason why this happens are actually your own network devices if you're connected on wifi. For instance sending a custom DNS query to the wifi advertised DNS server (if it's the router) will cause that dialog. Same thing happens if you happen to have a router redirect certain resources to itself. The latter typically at this point only happens for non encrypted HTTP traffic and that's basically no longer permitted.
More context, especially resolving link-local DNS names (those ending with local, per RFC 6762) requires local network access. For iOS devices, Apple has summed this pretty well[1]. Yes, if permission required on below:
Making an outgoing TCP connection — yes
Listening for and accepting incoming TCP connections — no
Sending a UDP unicast — yes
Sending a UDP multicast — yes
Sending a UDP broadcast — yes
Receiving an incoming UDP unicast — no
Receiving an incoming UDP multicast — yes
Receiving an incoming UDP broadcast — yes
And finally usage of Bonjour operations.
This sounds like it might help against DNS rebinding attacks, — at the cost of breaking interchangeability between DNS names and IP addresses.
Not sure, if such policy is a good idea, especially if the permission prompt automatically appears upon network activity without explicit developer intention. This will simply condition users to click "OK" without understanding what's going on.
I‘ve had many apps, even very trustworthy ones, show me this permission prompt when my internet connection was down and the router was directing all requests to an error page. So it‘s possible for this prompt to appear without the app developer doing anything bad. Not giving TikTok much benefit of doubt though.
I am not sure under which circumstances it flags. If you write your own DNS client for sure it will happen, but there seem to be more things that cause this to trigger.
After that dialog was introduced I saw it pop up on stack overflow for some relatively common libraries (for instance with unity) even if they did not attempt to access the local network.
Interesting. I initially denied the permission, but Tiktok seemed to not be able to make any Internet requests. The kind of behavior I would expect if DNS didn’t work anymore.
Maybe it’s just as innocent as this, but OTOH, it’s tiktok we’re talking about.
Any discussion of intent is always going to be speculation. All we can think about is what such a thing would be capable of if it were somehow malicious.
The first possibility that comes to my mind would be sniffing Ethernet MAC addresses because it could be done without any sort of device-specific support built in to the app. Assuming your local devices’ manufacturers are following Da Rulez, the first part of their MAC address usually tells you the company, and the second part tends to be individualized/serialized.
That would, for example, let TikTok derive when certain users are together IRL if they both show up scan-adjacent to a unique MAC. Or maybe it could let them derive multiple accounts belonging to a single person if one is used on VPN-only to discuss political or personal topics that person might not want associated with their IRL identity.
If I was a state intelligence service I would love TikTok. Especially if it was legally banned in my country so was used almost exclusively by foreigners. One better was if the government had a controlling stake in the company [0] and laws requiring the company to be virtually transparent to demands from state security agencies [1].
Not only does TikTok have a ton of overt data about users but also contemporaneous data like usage patterns and physical location. Then using the app to collect and exfiltrate information about all manner of foreign networks. I can pass off that data to my government run hacking [2] groups [3] as well as regime-favored businesses for some really great market research.
The only actual issue with this setup for citizens of the US is that US citizens like to be the people with access to the data and doing the spying. What you have described, a state intelligence service with access to loads of user data that they happily use for spying is what the US has normalized. Collecting all this data is par for the course (Snowden exposed that pretty conclusively) and non US citizens have no rights as far as the US is concerned. Are they (china) doing it, probably not, seems like a lot of effort for very little gain I mean you find out that I like puppy videos and mostly stay in my house. It's a fun app though :) - also to the original person's tweet, most of the apps on my iphone pop this up from time to time, so if we are going to accuse TikTok of spying on me we should be accusing Calm and Insight Timer too (to randomly pick two).
AFAIK Calm and Insight don't have hundreds of millions of users nor is the CCP on their corporate boards. But with explanations provided by the apps as to why they want network device access they probably shouldn't be trusted.
As for the data collection, TikTok/ByteDance is definitely going to store it. They wouldn't collect it otherwise. To the utility of the data, if they've got MAC addresses of devices on your home network they can tell many of the brands of devices you own. They know when you get a new computer even if you never use TikTok on it. If you launch the app at your office they get the same information about your office network. In aggregate their network scanning will collect vast amounts of data.
The TikTok app is turning every user into a passive network scanner. Even if you want to ignore the CCP's influence on ByteDance I don't think there is any reason to give them the benefit of the doubt about their data collection. They'll sell their users and anyone around them. I have the same problem with Facebook and their damn shadow profiles and covert data collection.
My point is that this just appears to be xenophobia and is completely hypocritical. Nearly every app on my phone asks to access the local network.It's a thing. It's not unusual in the slightest. The problem seems to be that this company is based in China. And we don't like China. Maybe that is not what you in particular don't like (I get that you don't like FB) but that is the reason why this is a topic conversation at all. So in effect what the people in this thread are saying is that American companies (and by direct link the US gov) are allowed to spy on people, but foreign governments should not be allowed. That seems like a huge double standard. For the record, I personally would prefer no governments were spying on me - but that doesn't seem to be on the table.
Nearly every app?! What apps do you actually use? I’ve only ever seen the prompt a few times, and always for pretty obvious reasons (UniFi, Prompt, VLC, etc.)
> The problem seems to be that this company is based in China.
You're misrepresenting the situation because you want to frame the whole issue as some xenophobia on my part. The problem is TikTok is a social network with millions of users whose parent company literally has the CCP as a board member and is subject to China's extremely invasive state security laws (requiring warrantless access to corporate data). The app was already an intelligence gold mine and now they've added a vein of platinum.
The only double standard is contained within the strawman you've created. I have the same problem with Facebook or Twitter apps scanning my local network for no reason than to increase their data harvesting. But since TikTok is the subject of the thread I specifically pointed out problems with TikTok. Facebook and Twitter have their own problems, some of them overlap with problems that exist with TikTok.
Neither I or anyone else needs to list the myriad problems with every social network when criticizing any one of them. You're trying to use a tu quoque [0] argument claiming xenophobia and hypocrisy (where none exists) in hopes that distracts from the points being made.
You can also just take the collection of devices typically on the network, hash the MAC addresses all together, and now you have a unique identifier for a household
But devices would join and leave the network in a household - especially phones. Maybe you could have a listening period, e.g. a week, where you build a set of witnessed devices and then hash that for a household id?
Of course you can. Look up VPN routing / split tunneling. It’s not uncommon for corporate VPNs to only route intranet traffic for instance; and LAN is usually whitelisted.
Besides corporate VPNs, typical consumer VPNs are also set up to allow LAN access. Your average joe-smoe would be annoyed if their network printer stopped working every time they turned on their VPN to watch netflix movies or whatever.
IPSEC VPNs (and others) have the remote networks defined in the protocol as part of the security association (SA). The SAs define which networks are available over the tunnel.
Saying "all RFC1918 addresses are available over here" is quite a cocky and obviously broken thing to do, unless you're dealing with a corporate device which is paranoid about leaking traffic to other networks.
You no more need Bluetooth permissions to use AirPlay than you do to for AirPods because the OS is deciding the output device per the users instructions[1].
Also: TikTok doesn’t support AirPlay or Chromecast.
[1] Per the user’s instructions on a good day at least.
Trusting companies not to abuse the simple explanation of Chromecast is dead in the water, though. Why on earth would you trust a company _not_ to abuse that?
I don't see chromecast or apple tv called out as a capability, and I'm not installing it to find out. I also don't really see the LAN access reasons there either.
https://apps.apple.com/us/app/tiktok/id835599320
I saw the same message yesterday from Spotify when I tried to use Chromecast. At least it prompted me for the permissions when I took that action, so it was clear why.
My charitable guess is they're adding support for chromecasting behind feature flags/AB testing, but don't yet have it correctly enabled/disabled. There was a lot of uproar over instagram immediately using the microphone/camera constantly, when they actually just always had the API initialized to make swiping to the camera snappier.
That could also explain why they didn't bother to provide in the notification to the user why they're requesting this access: because they weren't intending to request it (yet).
I find the conspiracy theories more compelling, but less likely.
If this just start popping up and without an explanation string, my guess is they included some 3rd party SDK that is doing fingerprinting on the local LAN, much like FB SDK's used to do.
If it only connects to multimedia devices, and if my OS lets me know that TikTok is using my multimedia devices, then I'd be OK with it, but I don't TikTok. Like MicroSnitch, which warns you when a mic/camera becomes active (macOS only).
I do trust Microsoft to collect all tracking data that's possible at all, but at least there is also a valid use case here.
It's even somehow plausible that they would require this permission for any kind of video streaming - to make sure all permissions are present before someone wants to start a locally streamed call.
I assumed it was to gracefully deal with handoff from one device to another while in a meeting since you can start on one device and continue with another, or maybe to share your screen from another device etc. It would be nice to know why exactly certain permissions are requested; sometimes that’s done by telling you what feature it might break if you don’t grant those permissions.
That's a great observation - for handoff it would make much more sense to get the permission beforehand, rather than trying to stop all sorts of a/v and network processes to get the user's ok.
It saves Microsoft traffic if people are in the same office building / corporate VPN and can exchange audio/video streams directly vs having to go through a MS-provided STUN/TURN intermediate server.
For MS I suspect either incompetence or laziness and just checking all the permissions (because a lot of Teams seems poorly thought out and designed by committee, probably an “agile” one too).
As for Tick Tock it’s obviously spyware meant for direct user identification. How anyone can use it when it’s uploading their biometric information (face, voice) to the CCP is beyond stupidity.
So far from what I’ve seen, it is mostly along the lines of “they technically can, so I assume they do.”
Even when it comes to someone like me, who is very strongly anti-CCP, it definitely irks me a bit. Mostly because making strong accusations like that without any reasoning other than “they can, so they definitely do it” only makes that position look weaker and more difficult to align with. Why make up those things and accusations, when there are so many other valid points for criticism there? There is a reason for why “the boy who cried wolf” is a very commonly referenced parable.
This shouldn't be news, tons of apps do this; I suspect it's for something like Chromecasting, maybe it collects telemetry too?, either way not at all specific to TikTok.
IMHO the OS or some common proxy app should take care of this. Yes, Chromecasting is a legitimate case and it's nice of TikTok or any other relevant app to offer such a feature but I don't trust random (let alone Chinese) app vendors to scan my home network.
Pokemon Go started asking for this back in March with an update. I don't think it was ever figured out why it would want access, and it's certainly not for Chromecast/Roku/AppleTV.
Pokéball Plus support. I mean, I can’t speak to Niantic fingerprinting players because I don’t know if they are, but you do need Bluetooth to use the Pokéball Plus properly. Also I believe you need Bluetooth to work with the Let’s Go Pikachu and Eevee games on the Switch to transfer Pokémon back and forth, but I never did get that to work properly.
Yeah, but Let's Go and Pokeball were released years ago. Go Plus was released almost Day 1, if I recall. All of those connect via Bluetooth and never required a network. They all still work just fine if you deny PoGo the permission to access devices.
Correct me if I’m wrong, but isn’t this the same dialog that pops up for Bluetooth devices or am I missing something?
I haven’t used my Pokeball Plus since about a month after I bought it, which was basically day or week 1, but if I recall correctly the mandate to ask for permissions only came around after that time frame and I would expect it the next time I pulled it out.
But if it does work without Bluetooth permissions; then that’s cool, or if this is a separate dialog than the Bluetooth permissions dialog, then I’m just wrong which is also fine and I can live with that.
No, it's definitely different. The Bluetooth permissions come up whenever you pair a new Pokeball/Go Plus/3rd Party Device like Gotcha. It strictly asks if you want to pair a new Bluetooth device.
The network discovery is different. iOS will popup a dialog saying something like, "Pokemon Go wants to discover other devices on your network" or something like that, which is what this story is about. I believe it pops up once when you install and sign up, but then it never asks again.
Many apps need to peer with a very short list of remote nodes. There are only some rare apps that need blanket network access to any other node. Maybe it's time for more permissions constraints to be applied?
Curiously, I have seen this prompt in apps that did not normally ask for this permission when I was on a captive network without having logged in. No idea why it was prompted, but could be related somehow?
Because that’s how <insert app> is used. The concept of apps and web sites being separate things, or being different, or preferable to one another isn’t on the radar of 95% of people, it’s a blurry shapeless vagueness the mind glazes over if it’s ever forced into recognizing its existence, and immediately discarded afterwards.
You’re asking a forum of power users/creators, where a loud minority completely unironically still use desktop & laptop computers for activities besides work. The only people on earth less understanding (intentionally or not) of consumer behavior are the Sentinelese.
Right; I wasn't playing grammar gotcha. I use my laptop for non-work activities, and I guess I do so sincerely. Do people use their laptops or desktops for non-work activities somehow insincerely?
I think it's very unlikely that Tiktok could build an equivalent UX that would work in a browser, including the creators tools. And even if they could - have they done so?
And let's not forget that Apple actively works against this way of working by intentionally gimping their browser capabilities and outright disallowing competing browsers.
For IG the web site pales in comparison. I don't use the app but I have an account courtesy FB I think and all the recommendations are "Instagram recommended" accounts like pop singers and reality TV stars even after I followed some that weren't such as in real world friends and family. There's no way to discover other interesting material. So I guess it's because the web version can be much worse.
On mobile they heavily push people to the app... this is the answer to most "just use the website" questions. Reddit mobile has been particularly bad about this lately, by blocking content. Instagram hits you with a login gate after viewing a few photos, etc... all of these companies are pushing their users to the place where they can siphon off the most data, which at the moment are apps.
I mean if its being hostile to your LAN then why not?
Let the hostile phones, TV's, sonos, toasters, etc live on the IOT network and your laptop, desktop, NAS and whatever else you value live on a your actual LAN.
Why does TikTok 'need' access to devices on your local network?
The intention from YouTube is obvious as they use it for Chromecast, but why does TikTok need this particular access? Have they disclosed this usage somewhere?
On top of that and continuing from [0], it seems that it is collecting even more things that you may not even know about [0]. Far worse than the other apps out there.
The purpose? The recommendation algorithm, of course. Otherwise, how else is it supposed to work?
To Downvoters: Lots of commenters here saying that TikTok does not support AirPlay or Chromecast. Since that can be ruled out, what is the intention of this permission and is it disclosed anywhere on why do they need such access?
I'm also assuming that you know why TikTok needs access to devices on your local network? Maybe you can elaborate on this?
[edit] And of course, there's WebRTC leaking your local IP - which ublock origin can specifically block [2].
[1] https://www.bleepingcomputer.com/news/security/ebay-port-sca...
[2] https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-l...