[HN Gopher] TikTok requests access to devices on local network
___________________________________________________________________
TikTok requests access to devices on local network
Author : hacky_engineer
Score : 255 points
Date : 2021-08-16 16:02 UTC (6 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| hokkos wrote:
| I'm pretty sure they use it for targeting, I remember tiktok
| presenting me video of interest shared by other under the same
| wifi.
| SubiculumCode wrote:
| Very curios coincidence. I watched a little TikTok this morning
| and found my daughter's account in my feed.
| TchoBeer wrote:
| This shouldn't be news, tons of apps do this; I suspect it's for
| something like Chromecasting, maybe it collects telemetry too?,
| either way not at all specific to TikTok.
| wyldfire wrote:
| Many apps need to peer with a very short list of remote nodes.
| There are only some rare apps that need blanket network access to
| any other node. Maybe it's time for more permissions constraints
| to be applied?
| q-rews wrote:
| Is it TikTok or is it just because of a captive portal on the
| WiFi?
|
| It happened to me just yesterday: "Why does X require local
| network access? Ugh." A minute later "Oh, Y is also requiring
| network access."
|
| Yes, I was on a public wifi.
|
| This may be 100% Apple's fault, everyone here is just commenting
| on a photo and not confirming that they also saw the message
| today.
| Too wrote:
| I had same thing happen some days ago while rebooting my modem
| at home after accidentally unplugging it.
|
| All kinds of apps I use regularly, which have absolutely no use
| for it, started asking for permission to list devices on local
| network.
| antioxidant wrote:
| They used to check your clipboard the whole time too.
|
| They use the local network as one of their sensors to identify
| you (fingerprinting). However they have plenty more (see their
| privacy policy).
| dwild wrote:
| > They use the local network as one of their sensors to
| identify you (fingerprinting).
|
| But why? It's an app... I guess this can allow them to link
| other people in your household to you, but isn't the wifi
| network name already available?
| rvz wrote:
| > They use the local network as one of their sensors to
| identify you (fingerprinting).
|
| Well they already disclosed the other ways they are identifying
| you in [0] but have they disclosed this one that finds other
| devices on your local network for 'fingerprinting' purposes in
| their privacy policy?
|
| The worst thing about this is that they haven't disclosed as to
| why they are specifically doing this. Not even the commenters
| here know why, since we can rule out AirPlay and Chromecast
| support as valid reasons to request such permissions.
|
| [0] https://www.tiktok.com/legal/privacy-policy?lang=en
| phkahler wrote:
| >> They used to check your clipboard the whole time too.
|
| That's a design error on the UI side. An app should not have
| read access to the clipboard, it should have the ability to
| accept data from the clipboard when the user pastes it.
| f1refly wrote:
| There's legitamate uses though, of which I was made painfully
| aware when google crippled the api and kde connect clipboard
| sync became way less impressive
| Spivak wrote:
| The problem is with clipboard access is because apps abuse it
| not because it's a problem that have read access at all.
| Google Maps pulling my clipboard which has an address in it
| as the top suggestion for destinations is a good thing and
| respect the user's time.
| _trampeltier wrote:
| Is there a way to check if a website does read your clipboard.
| I know you have to interact with the site, so they can read it.
| So in theorie, a website can read your clipboard every time you
| click on something, is this true?
| detaro wrote:
| AFAIK it's not, reading the clipboard requires an explicit
| "paste" command triggered by the user or an explicitly
| granted permission.
| judge2020 wrote:
| > They used to check your clipboard the whole time too.
|
| To be fair quite a lot of apps did this to enable deep
| links/automatically opening certain clipboard links. Every big
| app has changed this to no longer show the 'pasted from'
| notification. And it was never shown that they export those
| clipboard contents to homebase.
| colechristensen wrote:
| >it was never shown that they export those clipboard contents
| to homebase
|
| When it comes to an app gathering data for a company, is
| anybody really willing to give the app makers the benefit of
| the doubt? If there is information available, somebody is
| going to take it and try to squeeze a penny out of it. Not
| everybody, but when it gives you a competitive advantage it
| has a tendency to grow.
| judge2020 wrote:
| The cool thing about phones is that you can MITM yourself
| and see what apps are sending, assuming they don't
| certificate pin (which TikTok doesn't). The person that
| reported this during the beta period didn't find any
| evidence when doing so.
|
| https://old.reddit.com/r/videos/comments/fxgi06/not_new_new
| s...
| duiker101 wrote:
| Can you actually still widely do this? Last time I
| checked on the latest versions of Android apps don't
| accept user certificates so you can't really do much
| about any https traffic, which really is the bulk.
| k1rcher wrote:
| From a legitimate reverse engineering/security auditing
| standpoint, cert pinning is generally very trivial to
| bypass.
|
| see: Frida, xposed framework (not sure if still relevant)
| judge2020 wrote:
| The basis of many enterprise networks is device-installed
| CAs so I would be thoroughly surprised. iOS at least
| still allows you to install a custom CA and only a few
| apps will refuse to work with it, who likely reject
| connections that aren't secured via a specific CA.
| jeroenhd wrote:
| You can, on a rooted phone. There's ways to install a CA
| certificate with root (described in my only popular blog
| post) but there's also alternatives, like using Frida to
| disable TLS verification all together.
|
| It's certainly not as easy and reliable as it used to be,
| but it's still common for security research to use these
| tactics to see what apps are doing.
| MichaelGroves wrote:
| "Lots of people do it" should never be considered a
| legitimate excuse. Trying to use that excuse should get you
| kicked out of the meeting room.
| dudus wrote:
| Everything TikTok is usually linked to malice and espionage
| from China. If this is a common industry practice at the
| very least you give it the benefit of the doubt. It doesn't
| make it ok. It just makes it not automatically linked to
| international cyber warfare.
| smolder wrote:
| The incidents that might qualify as cyber warfare could
| also just be looked at as the same struggle for power on
| a different front, compared to economics. It can't be
| lost on Chinese leaders how valuable it is to the US to
| have so much money and data flowing through its domestic
| tech companies. Tech companies can't cross the line into
| cyber warfare themselves and get a pass on it, but they
| do play a role in it.
| vlunkr wrote:
| I don't think they're trying to say it's a valid excuse,
| just that there are reasons to check clipboard content that
| aren't malicious.
| hungryhobo wrote:
| why should it get you kicked out of the meeting room? if
| everyone else is doing it and have a better ux, i'd imagine
| you'd be kicked out of the meeting roomm if you're not
| doing it.
| blackoil wrote:
| Theoretically maybe, practically we have a proverbs 'No one
| is fired for buying (IBM|MS|Google|AWS)'
| pizza wrote:
| > Every big app has changed this to no longer show the
| 'pasted from' notification.
|
| Is that because they stopped checking your clipboard, or
| because they managed to check in a way that doesn't alert the
| user?
| _fzslm wrote:
| afaik apps can detect patterns on the pasteboard without
| triggering the notification (i.e. check if the URL is a
| TikTok URL or not), but they can't actually access the
| contents without triggering the notification. it's enforced
| by the pasteboard API on iOS.
|
| so they probably updated their apps to perform this check
| before doing anything.
| zuhsetaqi wrote:
| "Okay so TikTok is grabbing the contents of my clipboard
| every 1-3 keystrokes. iOS 14 is snitching on it with the new
| paste notification pic.twitter.com/OSXP43t5SZ "
|
| -- Jeremy Burge (@jeremyburge) June 24, 2020
|
| TikTok wasn't checking it for link opening ...
| diebeforei485 wrote:
| Some other apps (Signal?) have also done this out of the blue,
| though they may have since added a UI around this.
|
| Regardless, Apple has done the right thing by putting this behind
| a permissions box, but the developer should be required to have
| some sort of explanation string of why they need this.
| phreack wrote:
| Apple does require a string for location access motivation,
| hopefully they'll do that for this one as well. Ideally all of
| them.
| alerighi wrote:
| That thing makes it annoying for the kind of applications my
| company does, that needs to communicate with other devices on
| the local network.
|
| It's annoying because it's not like other permissions, where
| you can ask the OS to prompt the user, and check if the user
| granted it or not, but it's some special permission. If the
| user, by mistake because it doesn't know that it's needed,
| doesn't give it one time it's impossible to ask again, and the
| app doesn't have a way to know that the permission is not
| granted. It's just things that the customer service has to
| handle, and that is bad.
|
| Sure, right to ask a permission, so make it like a regular
| permission as the location permission.
| t0ps0il wrote:
| > It's annoying because it's not like other permissions
|
| Normally if I want to use a permission, say location, I need
| to provide a value for given permission in my app's
| `info.plist` file, and if I don't and the app tries to grab
| the current location, it crashes with logs yelling at me to
| provide a description for the location privacy key.
|
| With local network permissions it's different.
|
| I've never had to do any local networking in my career as an
| iOS dev so downloaded Apple's peer to peer example app (https
| ://developer.apple.com/documentation/network/building_a...)
| and removed the `Privacy - Local Network Usage Description`
| key/value pair from the `info.plist` file and ran the app on
| my device.
|
| I fully expected a crash with a description telling me to add
| this key but iOS just filled in the missing description with
| a default value and asked away. I wonder why that permission
| is treated differently from the rest?
| swiley wrote:
| If you're truly not being malicious then open source your app
| and get it added to the alpine repos so people can run it in
| ish.
| adrr wrote:
| I assume signal is udp hole punching to get around NAT.
| ergl wrote:
| Signal uses local networking for the account migration
| functionality: https://support.signal.org/hc/en-
| us/articles/360007059752-Ba...
|
| You scan a QR code with one device and it transfers the
| entire account state to the new phone.
| danlugo92 wrote:
| What's some good resources on understanding NAT and udp hole
| punching that explain it in an intuitive manner?
| zamadatix wrote:
| The simplest take on the concept is get a 3rd party with a
| public address to exchange the current port tuples used to
| connect to it between the 2 clients so the clients can then
| use this information to connect directly.
|
| Beyond the basic take on it there really isn't an intuitive
| single explanation because "simple" things like "NAT
| traversal" quickly turn into "Full-cone NAT to Port-
| restricted NAT with UPnP behind CG-NAT" individual corner
| cases endlessly fighting the need to just go to IPv6.
| uniqueuid wrote:
| Just to add: Scanning networks to gather data seems pretty
| popular these days - smart tvs have done so, and even the ebay
| site used to portscan visitors [1].
|
| [edit] And of course, there's WebRTC leaking your local IP -
| which ublock origin can specifically block [2].
|
| [1] https://www.bleepingcomputer.com/news/security/ebay-port-
| sca...
|
| [2] https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-
| from-l...
| nostrademons wrote:
| Is this separate from mDNS [1]? A lot of smart TVs and PCs
| increasingly use mDNS to support some fairly handy consumer
| features, like AirDrop, being able to setup your TV with your
| phone, network printing/scanning, ChromeCast, whole-home
| control of lights & other IoT devices, etc.
|
| [1] https://en.wikipedia.org/wiki/Multicast_DNS
| uniqueuid wrote:
| The incident I'm referring to was about LG [1]. The report
| includes network captures, so I'd trust it.
|
| Apparently, some chinese smart TV brands have been doing
| similar things, but I wouldn't be surprised if most other
| vendors have caught up and used stealthier techniques.
|
| [edit] Here's the news about those chinese TVs [2] and the
| original report [3]
|
| [1] https://arstechnica.com/information-
| technology/2013/11/lg-sm...
|
| [2] https://www.theregister.com/2021/05/04/skyworth_gozen_sma
| rt_...
|
| [3] https://www.v2ex.com/t/772523
| excitom wrote:
| Small point: LG is a Korean company, not Chinese.
| uniqueuid wrote:
| Right, those are two distinct incidents (and years
| apart).
|
| Sorry if that wasn't clear.
| jacquesm wrote:
| Iirc the ebay thing was yet another way to fingerprint you to
| re-identify fraudulent account creators.
| swiley wrote:
| That's a clear violation of the CFAA. This crime carries prison
| time. How come they threw teenagers in prison but not the
| people responsible for doing it en mass?
| the_mitsuhiko wrote:
| How is this a violation against the CFAA?
| swiley wrote:
| Unauthorized network access? Literally the whole point of
| the thing.
| Hnrobert42 wrote:
| I would argue the point was the opposite. It began with a
| request for authorization.
| indymike wrote:
| > It began with a request for authorization.
|
| Yes, by asking someone who doesn't have permission to
| give that authorization to do so.
| swiley wrote:
| I don't see how this is any different than walking into a
| building and telling the concierge you're a maintenance
| worker.
| 73r7fudhdjduru wrote:
| The illegal part there isn't requesting access it's lying
| about being a maintenance worker to gain access.
| [deleted]
| kayfox wrote:
| What access controls are being bypassed?
| na85 wrote:
| There are a different set of laws for me and you.
| Corporations and CEOs play by their own rules.
| judge2020 wrote:
| If it's a clear violation maybe sue them for breaching your
| network?
| swiley wrote:
| I don't even have non-free mobile OSes on my network much
| less this.
| teawrecks wrote:
| Because people blindly accept terms of service.
| xvector wrote:
| It's not people's fault that terms of service are
| intentionally designed to be as long-winded as possible if
| you want any hope of using a product or service.
| hipsterhelpdesk wrote:
| It only "leaks" your ip if you are trying to use webrtc
| features with a vpn, otherwise web rtc is perfectly fine to use
| without concern for most people.
| uniqueuid wrote:
| Interesting! That's not how I read the ublock origin docs:
|
| "Keep in mind that this feature is to prevent leakage of your
| non-internet-facing IP adresses. The purpose of this feature
| is not to hide your current internet-facing IP address -- so
| be cautious to not misinterpret the results of some WebRTC-
| local-IP-address-leakage tests found online."
|
| That said, my Firefox 91 and Safari don't leak local IPs
| regardless of the ublock setting.
|
| Warrants more investigation perhaps.
| allo37 wrote:
| I believe newer versions of WebRTC use mdns to mask local
| IPs:
|
| https://bugs.chromium.org/p/chromium/issues/detail?id=87846
| 5
| uniqueuid wrote:
| Great find! Here's the IETF draft [1], submitted by Apple
| (which would explain why I'm not seeing leaks on Safari)
|
| [1] https://datatracker.ietf.org/doc/html/draft-mdns-ice-
| candida...
| wyager wrote:
| Many common wifi APs (eg TP-link EAP225) will allow you to
| create separate wifi networks on different VLANs. You can use
| this to isolate internet of shit devices onto their own
| networks where they can't talk to your other devices, without
| increasing your hardware costs or causing wifi interference.
|
| You'll need a router/firewall and an AP that are both VLAN-
| aware. I personally use an EAP225 and some eBay industrial PC
| running freebsd.
| blacksmith_tb wrote:
| And/or some routers offer 'AP Isolation' or 'Client
| Isolation' to prevent devices from communicating with each
| other (I am always glad to see public networks configured
| this way, but at home it'd be a pain to not be able to shell
| from one box into another etc.)
| the_mitsuhiko wrote:
| For some technical context: this dialog pops up the first time an
| app attempts to send a packet to a local device. A "common"
| reason why this happens are actually your own network devices if
| you're connected on wifi. For instance sending a custom DNS query
| to the wifi advertised DNS server (if it's the router) will cause
| that dialog. Same thing happens if you happen to have a router
| redirect certain resources to itself. The latter typically at
| this point only happens for non encrypted HTTP traffic and that's
| basically no longer permitted.
|
| So why it happens exactly would be interesting.
| nicce wrote:
| More context, especially resolving link-local DNS names (those
| ending with local, per RFC 6762) requires local network access.
| For iOS devices, Apple has summed this pretty well[1]. Yes, if
| permission required on below: Making an
| outgoing TCP connection -- yes Listening for and
| accepting incoming TCP connections -- no Sending a
| UDP unicast -- yes Sending a UDP multicast -- yes
| Sending a UDP broadcast -- yes Receiving an
| incoming UDP unicast -- no Receiving an incoming
| UDP multicast -- yes Receiving an incoming UDP
| broadcast -- yes And finally usage of Bonjour
| operations.
|
| [1] https://developer.apple.com/forums/thread/663874
| uniqueuid wrote:
| Thanks for the details!
|
| That opens new questions; for example, what's a "custom" DNS
| query? One that doesn't use mDNSResponder (or whatever iOS uses
| right now)?
| the_mitsuhiko wrote:
| I am not sure under which circumstances it flags. If you
| write your own DNS client for sure it will happen, but there
| seem to be more things that cause this to trigger.
|
| After that dialog was introduced I saw it pop up on stack
| overflow for some relatively common libraries (for instance
| with unity) even if they did not attempt to access the local
| network.
| stingraycharles wrote:
| Interesting. I initially denied the permission, but Tiktok
| seemed to not be able to make any Internet requests. The kind
| of behavior I would expect if DNS didn't work anymore.
|
| Maybe it's just as innocent as this, but OTOH, it's tiktok
| we're talking about.
| intrasight wrote:
| So just use their web site. Honest question - why do people use
| apps for such?
| finiteseries wrote:
| Because that's how <insert app> is used. The concept of apps
| and web sites being separate things, or being different, or
| preferable to one another isn't on the radar of 95% of people,
| it's a blurry shapeless vagueness the mind glazes over if it's
| ever forced into recognizing its existence, and immediately
| discarded afterwards.
|
| You're asking a forum of power users/creators, where a loud
| minority completely unironically still use desktop & laptop
| computers for activities besides work. The only people on earth
| less understanding (intentionally or not) of consumer behavior
| are the Sentinelese.
| JadeNB wrote:
| > a loud minority completely unironically still use desktop &
| laptop computers for activities besides work.
|
| Is using a desktop or laptop for non-work activities ironic
| somehow?
| finiteseries wrote:
| I honestly don't know what exactly irony means.
|
| unironically = sincerely/earnestly
| JadeNB wrote:
| Right; I wasn't playing grammar gotcha. I use my laptop
| for non-work activities, and I guess I do so sincerely.
| Do people use their laptops or desktops for non-work
| activities somehow insincerely?
| finiteseries wrote:
| Sure, for example as a last resort when your phone or
| whatever has died, but the charger is _over there_ , ugh.
| cblconfederate wrote:
| You mean you don't like being spied on?
| mzs wrote:
| For IG the web site pales in comparison. I don't use the app
| but I have an account courtesy FB I think and all the
| recommendations are "Instagram recommended" accounts like pop
| singers and reality TV stars even after I followed some that
| weren't such as in real world friends and family. There's no
| way to discover other interesting material. So I guess it's
| because the web version can be much worse.
| mdoms wrote:
| I think it's very unlikely that Tiktok could build an
| equivalent UX that would work in a browser, including the
| creators tools. And even if they could - have they done so?
|
| And let's not forget that Apple actively works against this way
| of working by intentionally gimping their browser capabilities
| and outright disallowing competing browsers.
| mattnewton wrote:
| Because these services usually do not develop their websites to
| parity with their apps and push users heavily to install apps.
| micromacrofoot wrote:
| On mobile they heavily push people to the app... this is the
| answer to most "just use the website" questions. Reddit mobile
| has been particularly bad about this lately, by blocking
| content. Instagram hits you with a login gate after viewing a
| few photos, etc... all of these companies are pushing their
| users to the place where they can siphon off the most data,
| which at the moment are apps.
| prashnts wrote:
| Curiously, I have seen this prompt in apps that did not normally
| ask for this permission when I was on a captive network without
| having logged in. No idea why it was prompted, but could be
| related somehow?
| j45 wrote:
| Instagram is requesting access to local devices on the network as
| well as of yesterday.
| donohoe wrote:
| Twitter does it too
|
| https://twitter.com/donohoe/status/1412563187426369537
| dangoor wrote:
| Perhaps there's something nefarious here, or perhaps it's just
| looking for a Chromecast or Apple TV?
| SllX wrote:
| You no more need Bluetooth permissions to use AirPlay than you
| do to for AirPods because the OS is deciding the output device
| per the users instructions[1].
|
| Also: TikTok doesn't support AirPlay or Chromecast.
|
| [1] Per the user's instructions on a _good_ day at least.
| dehrmann wrote:
| I saw the same message yesterday from Spotify when I tried to
| use Chromecast. At least it prompted me for the permissions
| when I took that action, so it was clear why.
| zahrc wrote:
| Which is usually only when it appears - when I specifically
| request the app to do something which requires to scan for
| local devices.
|
| Tiktok doesn't support chrome cast (I think)
| Lammy wrote:
| Any discussion of intent is always going to be speculation. All
| we can think about is what such a thing would be capable of if
| it were somehow malicious.
|
| The first possibility that comes to my mind would be sniffing
| Ethernet MAC addresses because it could be done without any
| sort of device-specific support built in to the app. Assuming
| your local devices' manufacturers are following Da Rulez, the
| first part of their MAC address usually tells you the company,
| and the second part tends to be individualized/serialized.
|
| That would, for example, let TikTok derive when certain users
| are together IRL if they both show up scan-adjacent to a unique
| MAC. Or maybe it could let them derive multiple accounts
| belonging to a single person if one is used on VPN-only to
| discuss political or personal topics that person might not want
| associated with their IRL identity.
| giantrobot wrote:
| If I was a state intelligence service I would _love_ TikTok.
| Especially if it was legally banned in my country so was used
| almost exclusively by foreigners. One better was if the
| government had a controlling stake in the company [0] and
| laws requiring the company to be virtually transparent to
| demands from state security agencies [1].
|
| Not only does TikTok have a ton of overt data about users but
| also contemporaneous data like usage patterns and physical
| location. Then using the app to collect and exfiltrate
| information about all manner of foreign networks. I can pass
| off that data to my government run hacking [2] groups [3] as
| well as regime-favored businesses for some really great
| market research.
|
| [0] https://finance.yahoo.com/news/bytedance-says-china-unit-
| hol...
|
| [1] https://en.m.wikipedia.org/wiki/Cybersecurity_Law_of_the_
| Peo...
|
| [2] https://en.m.wikipedia.org/wiki/PLA_Unit_61398
|
| [3] https://en.m.wikipedia.org/wiki/PLA_Unit_61486
| sam0x17 wrote:
| You can also just take the collection of devices typically on
| the network, hash the MAC addresses all together, and now you
| have a unique identifier for a household
| vineyardmike wrote:
| has the mac's and use a bloom filter, look for overlaps
| across time/accounts.
| ALittleLight wrote:
| But devices would join and leave the network in a household
| - especially phones. Maybe you could have a listening
| period, e.g. a week, where you build a set of witnessed
| devices and then hash that for a household id?
| rafale wrote:
| Can you send packets to local network if you are using a VPN
| on ur phone? Sounds like a VPN bug to me.
| oefrha wrote:
| Of course you can. Look up VPN routing / split tunneling.
| It's not uncommon for corporate VPNs to only route intranet
| traffic for instance; and LAN is usually whitelisted.
| MichaelGroves wrote:
| Besides corporate VPNs, typical consumer VPNs are also
| set up to allow LAN access. Your average joe-smoe would
| be annoyed if their network printer stopped working every
| time they turned on their VPN to watch netflix movies or
| whatever.
| oasisbob wrote:
| IPSEC VPNs (and others) have the remote networks defined
| in the protocol as part of the security association (SA).
| The SAs define which networks are available over the
| tunnel.
|
| Saying "all RFC1918 addresses are available over here" is
| quite a cocky and obviously broken thing to do, unless
| you're dealing with a corporate device which is paranoid
| about leaking traffic to other networks.
| oefrha wrote:
| Yes, "LAN is usually whitelisted" in my comment is
| independent from the corporate split tunneling example.
| dheera wrote:
| Apple is also complicit in making it incredibly hard to
| execute an MITM proxy to know what your iOS apps are sending
| back to their servers.
|
| Being able to MITM and see what your apps and OS are sending
| back is the first step to real privacy.
| xfitm3 wrote:
| Assuming this is iOS doesn't the native screen sharing
| capability handle that?
| mholm wrote:
| Not chromecast.
|
| My charitable guess is they're adding support for
| chromecasting behind feature flags/AB testing, but don't yet
| have it correctly enabled/disabled. There was a lot of uproar
| over instagram immediately using the microphone/camera
| constantly, when they actually just always had the API
| initialized to make swiping to the camera snappier.
| danudey wrote:
| That could also explain why they didn't bother to provide
| in the notification to the user _why_ they 're requesting
| this access: because they weren't intending to request it
| (yet).
|
| I find the conspiracy theories more compelling, but less
| likely.
| toxik wrote:
| When an app tells you it's stealing your data, I would
| say you should believe it.
| mercora wrote:
| it would be a little too obvious if this is done for nefarious
| reasons by TikTok developers themselves.
| mtgx wrote:
| Why too obvious? 99% of people don't pay attention to this
| stuff. Look at what Facebook has been doing to users for
| years and years before being caught and blaming it on a bug
| or becoming way to familiar to Britney's lyrics in "Oops, I
| did it again."
| Maxburn wrote:
| I don't see chromecast or apple tv called out as a capability,
| and I'm not installing it to find out. I also don't really see
| the LAN access reasons there either.
| https://apps.apple.com/us/app/tiktok/id835599320
|
| https://play.google.com/store/apps/details?id=com.ss.android...
|
| Based on the things they do call out as permissions this app is
| scary.
| starik36 wrote:
| TikTok doesn't have either feature. At least I don't see an
| obvious way to connect.
| Closi wrote:
| Yeah, although I can't think of an immediate use-case
| considering Tiktok doesn't support streaming to Chromecast or
| Apple TV.
| SavantIdiot wrote:
| If it only connects to multimedia devices, and if my OS lets me
| know that TikTok is using my multimedia devices, then I'd be OK
| with it, but I don't TikTok. Like MicroSnitch, which warns you
| when a mic/camera becomes active (macOS only).
| hatware wrote:
| Trusting companies not to abuse the simple explanation of
| Chromecast is dead in the water, though. Why on earth would you
| trust a company _not_ to abuse that?
| azinman2 wrote:
| If this just start popping up and without an explanation
| string, my guess is they included some 3rd party SDK that is
| doing fingerprinting on the local LAN, much like FB SDK's used
| to do.
| uniqueuid wrote:
| Microsoft Teams does this as well, purportedly for video calling
| (!?) Was there ever an explanation why the permissions are
| needed?
| uniqueuid wrote:
| Just did a quick search and found that teams does in fact
| support some sort of local-only streaming:
|
| https://docs.microsoft.com/en-US/microsoftteams/use-ndi-in-m...
|
| I do trust Microsoft to collect all tracking data that's
| possible at all, but at least there is _also_ a valid use case
| here.
|
| It's even somehow plausible that they would require this
| permission for any kind of video streaming - to make sure all
| permissions are present _before_ someone wants to start a
| locally streamed call.
| avnigo wrote:
| I assumed it was to gracefully deal with handoff from one
| device to another while in a meeting since you can start on one
| device and continue with another, or maybe to share your screen
| from another device etc. It would be nice to know why exactly
| certain permissions are requested; sometimes that's done by
| telling you what feature it might break if you don't grant
| those permissions.
| uniqueuid wrote:
| That's a great observation - for handoff it would make much
| more sense to get the permission beforehand, rather than
| trying to stop all sorts of a/v and network processes to get
| the user's ok.
| mschuster91 wrote:
| It saves Microsoft traffic if people are in the same office
| building / corporate VPN and can exchange audio/video streams
| directly vs having to go through a MS-provided STUN/TURN
| intermediate server.
| lloydatkinson wrote:
| For MS I suspect either incompetence or laziness and just
| checking all the permissions (because a lot of Teams seems
| poorly thought out and designed by committee, probably an
| "agile" one too).
|
| As for Tick Tock it's obviously spyware meant for direct user
| identification. How anyone can use it when it's uploading their
| biometric information (face, voice) to the CCP is beyond
| stupidity.
| andrewmd5 wrote:
| It is to support finding devices you can cast to inside the
| app (like conference calling boxes.)
| po1nter wrote:
| It's TikTok* and do you have any evidence to support what
| you're saying or you're just pulling this from thin air?
| filoleg wrote:
| So far from what I've seen, it is mostly along the lines of
| "they technically can, so I assume they do."
|
| Even when it comes to someone like me, who is very strongly
| anti-CCP, it definitely irks me a bit. Mostly because
| making strong accusations like that without any reasoning
| other than "they can, so they definitely do it" only makes
| that position look weaker and more difficult to align with.
| Why make up those things and accusations, when there are so
| many other valid points for criticism there? There is a
| reason for why "the boy who cried wolf" is a very commonly
| referenced parable.
| micromacrofoot wrote:
| Don't forget that TikTok is also currently under investigation by
| the US secretary of commerce to determine whether or not it's a
| threat to national security.
|
| Are people getting enough out of the content on TikTok to warrant
| installing an app from a country that has been outright hostile
| to the US (from a cybersecurity perspective)?
|
| I've seen some of the most popular TikTok content without ever
| creating an account.
| abledon wrote:
| This is only the TikTok iOS/Android app right? Not the web app?
| throw03172019 wrote:
| Yes, iOS app in this specific case.
| rvz wrote:
| Why does TikTok 'need' access to devices on your local network?
|
| The intention from YouTube is obvious as they use it for
| Chromecast, but why does TikTok need this particular access? Have
| they disclosed this usage somewhere?
|
| On top of that and continuing from [0], it seems that it is
| collecting even more things that you may not even know about [0].
| Far worse than the other apps out there.
|
| The purpose? The recommendation algorithm, of course. Otherwise,
| how else is it supposed to work?
|
| To Downvoters: Lots of commenters here saying that TikTok does
| not support AirPlay or Chromecast. Since that can be ruled out,
| what is the intention of this permission and is it disclosed
| anywhere on why do they need such access?
|
| I'm also assuming that you know why TikTok needs access to
| devices on your local network? Maybe you can elaborate on this?
|
| [0] https://news.ycombinator.com/item?id=28137000
| jeffbee wrote:
| There are two ways that the TikTok mobile app can be used to
| control the app running on a smart TV, android TV, roku, or
| whatever.
|
| 1) The app on the smart tv can connect to a command-and-control
| network in the cloud, which will make deranged HNers howl in
| disapproval.
|
| 2) The app on the phone can discover local devices it can
| control, which will make deranged HNers howl in disapproval.
| snapetom wrote:
| Pokemon Go started asking for this back in March with an update.
| I don't think it was ever figured out why it would want access,
| and it's certainly not for Chromecast/Roku/AppleTV.
| SllX wrote:
| Pokeball Plus support. I mean, I can't speak to Niantic
| fingerprinting players because I don't know if they are, but
| you do need Bluetooth to use the Pokeball Plus properly. Also I
| believe you need Bluetooth to work with the Let's Go Pikachu
| and Eevee games on the Switch to transfer Pokemon back and
| forth, but I never did get that to work properly.
| snapetom wrote:
| Yeah, but Let's Go and Pokeball were released years ago. Go
| Plus was released almost Day 1, if I recall. All of those
| connect via Bluetooth and never required a network. They all
| still work just fine if you deny PoGo the permission to
| access devices.
| SllX wrote:
| Correct me if I'm wrong, but isn't this the same dialog
| that pops up for Bluetooth devices or am I missing
| something?
|
| I haven't used my Pokeball Plus since about a month after I
| bought it, which was basically day or week 1, but if I
| recall correctly the mandate to ask for permissions only
| came around after that time frame and I would expect it the
| next time I pulled it out.
|
| But if it does work without Bluetooth permissions; then
| that's cool, or if this is a separate dialog than the
| Bluetooth permissions dialog, then I'm just wrong which is
| also fine and I can live with that.
| Dragging-Syrup wrote:
| Straight to the IOT isolation network
| moooo99 wrote:
| Your phone?
| MisterTea wrote:
| I mean if its being hostile to your LAN then why not?
|
| Let the hostile phones, TV's, sonos, toasters, etc live on
| the IOT network and your laptop, desktop, NAS and whatever
| else you value live on a your actual LAN.
___________________________________________________________________
(page generated 2021-08-16 23:00 UTC)