We welcome legitimate review of our platform and know that staying ahead of next-generation cyber threats requires us to continuously strengthen the security of our platform and collaborate with industry-leading experts to test our defenses. That's why we partner with industry leaders such as HackerOne and it's also why we open the doors of our global Transparency and Accountability Centers for people to learn about source code and how our application’s algorithm operates.
On February 13, the Malcore team at Internet 2.0, which describes itself as a joint U.S. and Australian cybersecurity company, published an industry analysis that is at best misleading and at worst a severely flawed and biased analysis. According to the report, Malcore is an automated analysis tool designed to scan files and programs, detect malware and assess risk. Yet by their own admission, the Malcore team used the tool to perform an inconclusive analysis that didn't include a detailed source code review. Their results contained a number of inaccuracies that should cast doubt on the validity of their findings.
In response, we had our own researchers conduct a technical analysis of Malcore's findings and below is what we found.
Our Data Collection Practices
- TikTok does not collect user device IMEI, SIM serial number, or integrated circuit card identification number. The current version of the TikTok app does not use MAC addresses. We encourage users to download the latest version of the app, which includes important security updates.
- TikTok does not collect all accounts on a device.
- In regions outside the U.S., where Location Services is available, TikTok collects location information based on a device's GPS data, if Location Services is actively enabled by the user. The current version of the TikTok app does not collect precise or approximate GPS information from U.S. users. We recommend people update to the latest version of the TikTok app.
- In some cases, where U.S. users are using an older version of the TikTok app that allowed for collection of precise or approximate GPS information (last release in August 2020), and granted TikTok permission to do so, we may collect such information. People can always prevent their device from sharing such information with TikTok or revoke previously granted permission at any time through their device settings.
- Additionally, people can choose to allow the platform access to photos, contact lists and the device microphone and camera. We detail the information we collect in our privacy policies and in our help center.
Software Development Kits (SDK)
A SDK is a set of tools that help software developers create applications for a specific platform. We have a process to assess the overall security risk of any SDK integrated with TikTok. In three cases, the Malcore team incorrectly identified SDK integrations. TikTok does not use Pangle, Google CrashLytics, or Facebook Analytics SDKs. We use the remainder of the SDKs cited in the Malcore analysis in the following ways:
- Facebook Login SDK and VKontakte SDK (available in only 8 countries) are used to allow users to login using their Facebook or VK credentials. Facebook Share allows users to share content from TikTok to Facebook.
- Facebook Bolts is an open source SDK to help engineers develop mobile apps. Appsflyer and Google Firebase Analytics are measurement and data analysis tools.
Scoring & Weighting
The Malcore team has not offered any explanation of the scoring system that scored TikTok the highest (worst) at 63.1, as compared to the industry standard of 34 for all other major social media apps and average score of 28.8 for all 21 apps.
The report arbitrarily lists the assigned scores weights for five factors: tracker/SDKs, dangerous permission, high severity warning for code analysis results, suspicious permission, and severity warning for code analysis results. There is no explanation of why or how these five factors were chosen.
Additionally, there's no explanation or external justification for why each factor is assigned the score it's been assigned, with tracker/SDKs given the highest score of 2.5 as compared to the second factor at 0.25 (10 times less) or the fifth factor (50 times less). Changing how any one category is scored would radically alter the risk scores for TikTok and the other apps.
Notably, the report itself acknowledges that "trackers normally are a legitimate software development kit (SDK) designed to help developers understand how their apps are being used, resolve potential issues and improve their software." The skewed weighting of SDKs doesn't take into account, for example, that some companies use a master SDK, which would make the number of SDKs an even less meaningful factor to assess risk. In short, Malcore's scoring system simply doesn't make sense.
At TikTok, the privacy and security of the people who use our platform are among our highest priorities. We take our responsibility to safeguard people's privacy and security seriously and devote considerable resources to achieve this goal. We plan to continue to provide updates on our practices in our newsroom, help center and our privacy policies.