By now, you have heard the concerns about the popular video-sharing social networking service TikTok’s ties to China. So what exactly are the ties? It is simple; TikTok is actually owned by a company named ByteDance that is based out of Beijing. Rather than have another article on what we already know, I decided to see what it would take to block TikTok. This took me down a deep rabbit hole, and what I found was shocking.
Blocking Access to TikTok
Note: Tested on Zscaler Cloud Proxy and iOS
It turns out that we (Zscaler) cannot stop users from installing the TikTok app. We can, however, break the communication. First thing, first: Let’s go for the obvious and tiktok[.].com, reopen the app and see what happens. No surprise, the app still works, I can browse, send messages, search, and upload. Given the sheer size of TikTok users (800 million and counting), it makes sense that the app would use more than one domain—especially when dealing with Content Delivery Networks (CDN). Looking at the logs, the app is reaching out to the following domains outside of tiktok[.]com:
tiktokv[.]com musical[.]ly <--ByteDance purchases musically for 1 Billion in 2017 tiktokcdn[.]com p16-tiktokcdn.com.akamaized[.]net
The traffic observed here looks like business as usual. All of the traffic headed to the CDNs are HTTP GET so there is peace of mind that the device is only retrieving content, not sending it. I updated my policy to block the additional domains (using wildcards of course), relaunched the app and success! The app no longer loads content, retrieves messages, provides search data, etc.
Normally, this is where the story ends. Not today, though. You see, I decided to jump on the Zscaler Cloud Console and review the blocked transactions. I noticed that TikTok was attempting to reach out to even more domains. Talk about application resiliency (or evasion)! This thing is trying its hardest to phone home, but, the app is not working. In addition to the domains that it attempted to reach out to before, it is now reaching out to domains that do not contain “tiktok”. Let’s look closer:
ipstatp[.]com isnssdk[.]com bytedance[.]com <---Parent company amemv[.]com
We already know that bytedance[.]com is a Beijing company, but what about the other three?
While both ipstatp and isnssdk are hosted in AWS, you can see that the registrant country is China. What about api.ammv[.]com?
I don’t know about you, but something seems fishy when you are actively trying to block an app and it has extended its reach from the US to Hong Kong. Perhaps the third time’s the charm? Let’s block those domains and see if the app finally gives up.
The TikTok app is like the Energizer Bunny: It just keeps going and going. This time after blocking all the domains the app then reached out to IPs! Specifically the Byte Dance IPs 130.44.212.0/22. Once I blocked this IP range, the app stopped reaching out to newer domains/IPs. Now, are these all of the known TikTok destinations? Not even close. Here is a crowdsourced list that you can use at your disposal. I will also point out that any static list can become obsolete in minutes so check back often.
While crunching logs, I noticed some calls within my house going to China. Upon further investigation, I found out it was my daughter’s phone. While I cannot definitively tell which app on her phone was making these calls to China, I was able to pull all of her logs for that time frame to get some context.
Zooming out a bit, you can see that my daughter was on TikTok (I know, I know. I pick my battles) when the phone was making calls out to China. The oddity here is that the phone was reaching out to Amazon China. Thankfully my policy prohibits any communication to China, even reputable websites like Amazon China.
That was fun! A little bit of a game of cat and mouse, but now I can say I have broken the TikTok app.
And my users cannot use TikTok on their device. Now I can go to bed knowing that they are protected and nothing sensitive is being sent to China.
Just as I start to drift off to sleep, a booming voice hits my brain, “Hey Brian…”
Now a normal person would probably make a little note to check on this in the morning. Not me, time to roll out of bed and finish what I started. Fired up tcpdump, I checked cloud firewall logs, and tested again. This time, I was pleasantly surprised. The TikTok app only communicates over port TCP/80, 443, presumably both HTTP/HTTPS. Based on the traffic patterns, the app strongly prefers HTTPS over HTTP. (I wonder if that is an Apple App Store thing, who knows?) Then I start to think, “I wonder if I can inspect the HTTPS traffic headed to TikTok?” As it turns out, I can using Zscaler if the TikTok app is running on iOS (sorry, Android users, I don’t have a device to test with).
Inspecting HTTPS TikTok Traffic on iOS
I opened up the TikTok app and went to my goto search for anything, Michael Jordan. I typed it in and then searched the Zscaler cloud logs. Lo and behold, we have visibility!
The actual HTTP request is below (notice “Michaeljordan” in the string):
api19-normal-c-useast1a.tiktokv.com/aweme/v1/general/search/single/?ac=4G&op_region=US&app_skin=white&is_pull_refresh=0&offset=0&search_source=normal_search&is_filter_search=0&count=10&keyword=Michaeljordan&hot_search=0&publish_time=0&sort_type=0&query_correct_type=1&client_height=896&
When testing the SSL/TLS inspection, I only “played” on TikTok for 3 minutes. Outside of searching for Michael Jordan, that was the only time I expected to see TikTok POST content from my device. In all, there were 2,926 requests in those 3 minutes and of those, 499 where HTTP POSTs and the rest were HTTP GETs. Given the nature of JSON, I expected to see a HTTP POST for every letter in the Michael Jordan search. So what was in the other 485 HTTP POSTs? Oh you know, just my internal IP, iPhone model, latitude/longitude, unique fingerprint of my device and more! Check the logs below:
ipv4"%20=%20"10.10.50.92" ipv6"%20=%20"2600:380:77e2:a217:144b:b516:a405:4e08" device_id=6748931216024774150 access=wifi carrier=AT&T display_density=1242*2688 is_cold_start=1&idea=00000000-0000-0000-0000-000000000000 idfv=BE717E9F-599C-48F7-9CED-DD3772BF215C bh=456 mac_address=02:00:00:00:00:00 resolution=1242*2688 latitude= device_platform=iphone device_type=iPhone11,6 os_version=13.5.1 openudid=9c031be540e5bc5a5d9e4c4ae33fde421deee4e9 account_region=US tz_name=America/Phoenix tz_offset=-25200 current_region=US carrier_region=US build_number=166515~ mcc_mnc=310410 screen_width=1242 cdid=41D7F4AE-02CE-45BD-BD23-940CC4E959E7 ac=wifi app_language=en
This should not be new news to anyone, but it provides confirmation of what has been noted before about the TikTok app.
“..there’s also a ton of creepy old men who have direct access to children on the app, and I’ve personally seen (and reported) some really suspect stuff. TikTok is essentially malware that is targeting children. Don’t use TikTok. Don’t let your friends and family use it.” Bangorlol
Needless to say, TikTok is now an unsanctioned application for the Deitch family. The kids aren’t happy but this ended up being a battle I did choose to have. As a parent of teenagers, I believe TikTok is like a refugee camp for dirty old men. I need to protect my children.
I was pleased at how I easily found (in minutes) the information I was looking for by inspecting SSL/TLS with Zscaler vs. reverse-engineering the app.
If you aren’t already familiar with DNS over HTTPS (DoH) just know that it’s the new fad when it comes to privacy but can be used for nefarious activities. Basically you can tunnel traffic discreetly without anyone knowing. For example, with DoH I can configure my browser (or iOS app) to retrieve briandeitch.com and all you would see in your proxy/firewall logs would be dns.google.com. Does TikTok use DoH? Of course they do!
When you can inspect SSL/TLS, you get to see everything the app is up to. We can see in the logs that TikTok is attempting to tunnel traffic to their servers over DoH. With SSL/TLS inspection, however, I can block said communication as I can see all of the Layer 7 data.
To wrap this up: TikTok is definitely up to some suspect behaviors and the iOS-based application does everything in its power to phone home. The built-in platform resiliency that ensures it can phone home (to China ) is unprecedented in my opinion. The app’s logic tries additional hostnames, IP Addresses, and DoH if the app is firewalled off or loses connectivity. Factor in PII that is being shared (granted, users are subject to the TOC), and I am of the mindset nobody should use this app! Questions? Just let me know!
The resiliency built into the platform to ensure that is can phone home (and to China) is unprecedented in my opinion. The app has logic built in to try both additional hostnames and IP addresses if the app is firewalled off or loses connectivity. Factor in PII data and the use of DoH, I am of the mindset nobody should use this app! Questions? Just let me know!
EDIT: 7/31/20 @0751
It should also be mentioned that I did not observe any traffic over the QUIC Protocol (UDP/443, 80).