How TikTok is spying on it's users and is getting away with it

Hi it's me again, since my computer class is getting boring i was thinking to use this blog for researching purposes. Let's start by saying that i used to have TikTok in 2014 when it was called musical.ly. It was quite popular amongst my classmates. Well i had an account we'll label it as main identity, and two other accounts that i'll call alt-1 and alt-2. My main account was used to follow old elementary school friends, while the alts were used to just scroll over random videos and have fun, i guess...

2 months ago i logged to my main account, in order to get in touch with an old friend of mine. Then i logged out to my alts. And well, my feed suddenly changed with videos of my old elementary school.

Scared i realized that TikTok not only knew that all the 3 accounts were tied to the same person but knew also where I used to attend my elementary class

but how

Many people think that a VPN can protect your identity, by obfuscating your IP address through a proxy server. Well, it turns out that many services out there don't relies on an IP address or user agent because they know that these values could be easily spoofed. They use more subtle techniques that we group in a macro-category called "fingerprinting". By "fingerprinting" your devices, they can check values such as your screen size, what is the model of your device, how much time your device needs to create a vector image and raster it, record an audio, and getting its bitstream in order to generate an unique ID and cross-reference it on their users DB. I discovered that TikTok uses an open-source library called fingerprintJS to Fingerprint their users. This library uses techniques such as audio fingerprinting, WEBGL fingerprinting (remember that TikTok uses WebGL for their filters), and WebRTC fingerprinting

Experimenting with fingerprinting

Since I want to conceptually prove what i'm saying I'll use their open Android SDK to test it out. On their website, it is claimed that they're able to fingerprint you unless you do a complete factory reset

I took several test, First, i got my fingerprint

Then I killed the app and used a VPN

then I rebooted my phone

And finally, i uninstalled and reinstalled the app

It doesn't matter what we change, we are still able to track this device. So the next question might be

How we can protect ourselves

Unfortunately, tiktok protects every single API call with two headers called X-Kronos and X-Gorgon. These values are generated natively, And the library that generates these values is protected with a custom OLLVM Fork. Even if you can bypass it, the algorithm will change within a week. So please STAY AWAY FROM TIKTOK. And for the god's sake, don't give out your privacy for some funny videos.

References

[1] https://rufposten.de/blog/2019/12/05/privacy-analysis-of-tiktoks-app-and-website/

[2] https://github.com/fingerprintjs/fingerprintjs

[3] https://fingerprint.com/blog/audio-fingerprinting/

[4] https://github.com/fingerprintjs/fingerprintjs-android

Edit more fingerprint proof (web-based)

and our old s__v__webid