this post was submitted on 17 Jan 2025
1374 points (98.3% liked)
Microblog Memes
6177 readers
2721 users here now
A place to share screenshots of Microblog posts, whether from Mastodon, tumblr, ~~Twitter~~ X, KBin, Threads or elsewhere.
Created as an evolution of White People Twitter and other tweet-capture subreddits.
Rules:
- Please put at least one word relevant to the post in the post title.
- Be nice.
- No advertising, brand promotion or guerilla marketing.
- Posters are encouraged to link to the toot or tweet etc in the description of posts.
Related communities:
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Show me where in the Chrome or Firefox app there is code to download an executable -- not a versioned update to the app through the Play Store, but a random chunk of code -- and run it.
In iOS, sure, just give me the app source code and... oh wait, the compiled apps from the store are also obfuscated, guess I can't search the code for you.
On Windows though you can look at what process runs when you click "update and restart" in Firefox or Chrome. Both have an updater service that is just there to run an update exe with admin permissions. Both could be used for the same attack vector you're afraid of. Every
{softwarename}_helper.exeis the same thing.Chrome on iOS can execute javascript and has a history of vulnerabilities using that code execution, so much so that I even had to use the browser to jailbreak once, so I am not sure what point you're trying to make other than fear mongering. You also still haven't addressed the fact that the code execution is still sandboxed. Any app that uses electron can download a zipped bundle of code and run it as well. Also any app with a built-in web browser is allowed to do this
But you can also just look at Bloons TD 6 and their "downloading new content" windows when the game starts.
Let's also look at the comment from the reddit thread you originally linked.
Yeah that's pretty normal, even javascript can get that just to render a page. I don't like that it's normal, but none-the-less
Yeah this is normal too, and imo a huge issue. On windows there's even an unprotected API for it. Again, I don't like it, but it is normal.
Sketchy as hell, I agree, but every app you give local network access to does the same, so we should ban Messenger too.
Every banking app and Pokemon Go do this. This one can be very dangerous if you're jailbroken.
Normal for social media. Shitty, but normal. We should just ban this feature
As does Adobe Premier Pro and Final Cut. Sketchy again, but maybe we should just ban proxying without notifying the user.
Edit: The source your reddit source gave is agreeing with me. https://www.zimperium.com/blog/zimperium-analyzes-tiktoks-security-and-privacy-risks/
Their other source appears to not do anything and gets "suspected phising" warnings on firefox https://penetrum.com/research/
This is a pretty impressive amount of deflection.
"All apps on iOS are obfuscated, so it's not important that TikTok on Android takes extra trouble to obfuscate itself in a very weird way which other Android apps generally don't do."
"All Windows apps work by downloading new binaries for themselves, because there's no package management, so it's not important that TikTok on Android takes extra trouble to bypass the package management and enable downloading custom per-user executables and running them."
"Some apps have vulnerabilities by accident, so it's not important that TikTok has a remote code execution vulnerability built in on purpose."
"Apps have a security model, which by the way can be jailbroken, so it's not important if something malicious happens within the app. Actually, forget what I said about jailbreaking."
You haven't actually addressed anything I said, just threw a whole bunch of words about related topics to make it sound like what I described about this particular topic is, within the scope of this topic, a normal thing. It's not.
I directly addressed what you said, and your source, and your source’s sources. And after checking your source this entire argument feels like a waste of time because the claim about TikTok is a “trust me bro” from a Reddit comment in a deleted post. I however trust him, because every app can pull and execute JavaScript. Hell I even gave you an example of one that does the exact same thing and is targeted at kids (Bloons). You keep framing what TikTok does as a vulnerability even though it is explicitly allowed by Apple.
If you want to choose to be willfully ignorant to how bad app and data privacy is across the entire App Store then that’s your prerogative.
Caring about this obfuscation is comical and directly leans into my point about laymen getting scared by things every app does. Wait until you hear about denuvo and dynamic obfuscation and the execution capabilities every single video game made since the 90s has.
My point isn’t TikTok good, in fact I have it blocked on my network as well as all of China on a region block; my point is that TikTok is not uniquely bad enough to justify a ban for “security and privacy” while still allowing Meta and Twitter to exist. Meta specifically is worse because Messenger does literally everything that redditor claims TikTok does.
I think we're done here. I could repeat myself but it would be a waste of both our time.
Edit: this was originally further continuing the argument but it was really rude.
If you’re seeing this I apologize. I get heated easily
This is a pretty fair point. I think I saw one other analysis that was similar to the reddit guy, but most people who do security analysis of TikTok seem to say that it's not especially nefarious, or any more so than the other ones (which are all pretty nefarious). I don't know why I trust this guy and not those guys. I just found it credible and specific on the positive side, where the other side is proving the negative. But yeah, there might be a bit of confirmation bias there.
I edited my comment before I saw you responded. My comment was rude as fuck and I apologize
I just ignored that part lol
It's all good, I appreciate it.
You didn’t deserve it regardless. Thank you for the patience.