The first possibility that comes to my mind would be sniffing Ethernet MAC addresses because it could be done without any sort of device-specific support built in to the app. Assuming your local devices’ manufacturers are following Da Rulez, the first part of their MAC address usually tells you the company, and the second part tends to be individualized/serialized.
That would, for example, let TikTok derive when certain users are together IRL if they both show up scan-adjacent to a unique MAC. Or maybe it could let them derive multiple accounts belonging to a single person if one is used on VPN-only to discuss political or personal topics that person might not want associated with their IRL identity.
Not only does TikTok have a ton of overt data about users but also contemporaneous data like usage patterns and physical location. Then using the app to collect and exfiltrate information about all manner of foreign networks. I can pass off that data to my government run hacking [2] groups [3] as well as regime-favored businesses for some really great market research.
[0] https://finance.yahoo.com/news/bytedance-says-china-unit-hol...
[1] https://en.m.wikipedia.org/wiki/Cybersecurity_Law_of_the_Peo...
Being able to MITM and see what your apps and OS are sending back is the first step to real privacy.
Also: TikTok doesn’t support AirPlay or Chromecast.
[1] Per the user’s instructions on a good day at least.
https://play.google.com/store/apps/details?id=com.ss.android...
Based on the things they do call out as permissions this app is scary.
Tiktok doesn’t support chrome cast (I think)
My charitable guess is they're adding support for chromecasting behind feature flags/AB testing, but don't yet have it correctly enabled/disabled. There was a lot of uproar over instagram immediately using the microphone/camera constantly, when they actually just always had the API initialized to make swiping to the camera snappier.
[edit] And of course, there's WebRTC leaking your local IP - which ublock origin can specifically block [2].
[1] https://www.bleepingcomputer.com/news/security/ebay-port-sca...
[2] https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-l...
I thought you had to use the information nefariously for there to be a crime.
How can receiving broadcasts be illegal?
Apparently, some chinese smart TV brands have been doing similar things, but I wouldn't be surprised if most other vendors have caught up and used stealthier techniques.
[edit] Here's the news about those chinese TVs [2] and the original report [3]
[1] https://arstechnica.com/information-technology/2013/11/lg-sm...
[2] https://www.theregister.com/2021/05/04/skyworth_gozen_smart_...
I wonder if I could rob a bank, then if I got caught claim "I was just checking to make sure they had enough money to cover my deposits!"
You’ll need a router/firewall and an AP that are both VLAN-aware. I personally use an EAP225 and some eBay industrial PC running freebsd.
"Keep in mind that this feature is to prevent leakage of your non-internet-facing IP adresses. The purpose of this feature is not to hide your current internet-facing IP address -- so be cautious to not misinterpret the results of some WebRTC-local-IP-address-leakage tests found online."
That said, my Firefox 91 and Safari don't leak local IPs regardless of the ublock setting.
Warrants more investigation perhaps.
They use the local network as one of their sensors to identify you (fingerprinting). However they have plenty more (see their privacy policy).
To be fair quite a lot of apps did this to enable deep links/automatically opening certain clipboard links. Every big app has changed this to no longer show the 'pasted from' notification. And it was never shown that they export those clipboard contents to homebase.
When it comes to an app gathering data for a company, is anybody really willing to give the app makers the benefit of the doubt? If there is information available, somebody is going to take it and try to squeeze a penny out of it. Not everybody, but when it gives you a competitive advantage it has a tendency to grow.
— Jeremy Burge (@jeremyburge) June 24, 2020
TikTok wasn’t checking it for link opening …
Is that because they stopped checking your clipboard, or because they managed to check in a way that doesn't alert the user?
Well they already disclosed the other ways they are identifying you in [0] but have they disclosed this one that finds other devices on your local network for 'fingerprinting' purposes in their privacy policy?
The worst thing about this is that they haven't disclosed as to why they are specifically doing this. Not even the commenters here know why, since we can rule out AirPlay and Chromecast support as valid reasons to request such permissions.
That's a design error on the UI side. An app should not have read access to the clipboard, it should have the ability to accept data from the clipboard when the user pastes it.
But why? It's an app... I guess this can allow them to link other people in your household to you, but isn't the wifi network name already available?
Regardless, Apple has done the right thing by putting this behind a permissions box, but the developer should be required to have some sort of explanation string of why they need this.
It's annoying because it's not like other permissions, where you can ask the OS to prompt the user, and check if the user granted it or not, but it's some special permission. If the user, by mistake because it doesn't know that it's needed, doesn't give it one time it's impossible to ask again, and the app doesn't have a way to know that the permission is not granted. It's just things that the customer service has to handle, and that is bad.
Sure, right to ask a permission, so make it like a regular permission as the location permission.
Normally if I want to use a permission, say location, I need to provide a value for given permission in my app's `info.plist` file, and if I don't and the app tries to grab the current location, it crashes with logs yelling at me to provide a description for the location privacy key.
With local network permissions it's different.
I've never had to do any local networking in my career as an iOS dev so downloaded Apple's peer to peer example app (https://developer.apple.com/documentation/network/building_a...) and removed the `Privacy - Local Network Usage Description` key/value pair from the `info.plist` file and ran the app on my device.
I fully expected a crash with a description telling me to add this key but iOS just filled in the missing description with a default value and asked away. I wonder why that permission is treated differently from the rest?
You scan a QR code with one device and it transfers the entire account state to the new phone.
https://docs.microsoft.com/en-US/microsoftteams/use-ndi-in-m...
I do trust Microsoft to collect all tracking data that's possible at all, but at least there is also a valid use case here.
It's even somehow plausible that they would require this permission for any kind of video streaming - to make sure all permissions are present before someone wants to start a locally streamed call.
As for Tick Tock it’s obviously spyware meant for direct user identification. How anyone can use it when it’s uploading their biometric information (face, voice) to the CCP is beyond stupidity.
You’re asking a forum of power users/creators, where a loud minority completely unironically still use desktop & laptop computers for activities besides work. The only people on earth less understanding (intentionally or not) of consumer behavior are the Sentinelese.
Is using a desktop or laptop for non-work activities ironic somehow?
And let's not forget that Apple actively works against this way of working by intentionally gimping their browser capabilities and outright disallowing competing browsers.
So why it happens exactly would be interesting.
Making an outgoing TCP connection — yes
Listening for and accepting incoming TCP connections — no
Sending a UDP unicast — yes
Sending a UDP multicast — yes
Sending a UDP broadcast — yes
Receiving an incoming UDP unicast — no
Receiving an incoming UDP multicast — yes
Receiving an incoming UDP broadcast — yes
And finally usage of Bonjour operations.
Not sure, if such policy is a good idea, especially if the permission prompt automatically appears upon network activity without explicit developer intention. This will simply condition users to click "OK" without understanding what's going on.
That opens new questions; for example, what's a "custom" DNS query? One that doesn't use mDNSResponder (or whatever iOS uses right now)?
After that dialog was introduced I saw it pop up on stack overflow for some relatively common libraries (for instance with unity) even if they did not attempt to access the local network.
Maybe it’s just as innocent as this, but OTOH, it’s tiktok we’re talking about.
It happened to me just yesterday: “Why does X require local network access? Ugh.” A minute later “Oh, Y is also requiring network access.”
Yes, I was on a public wifi.
This may be 100% Apple’s fault, everyone here is just commenting on a photo and not confirming that they also saw the message today.
All kinds of apps I use regularly, which have absolutely no use for it, started asking for permission to list devices on local network.
IMHO the OS or some common proxy app should take care of this. Yes, Chromecasting is a legitimate case and it's nice of TikTok or any other relevant app to offer such a feature but I don't trust random (let alone Chinese) app vendors to scan my home network.
1) The app on the smart tv can connect to a command-and-control network in the cloud, which will make deranged HNers howl in disapproval.
2) The app on the phone can discover local devices it can control, which will make deranged HNers howl in disapproval.
The intention from YouTube is obvious as they use it for Chromecast, but why does TikTok need this particular access? Have they disclosed this usage somewhere?
On top of that and continuing from [0], it seems that it is collecting even more things that you may not even know about [0]. Far worse than the other apps out there.
The purpose? The recommendation algorithm, of course. Otherwise, how else is it supposed to work?
To Downvoters: Lots of commenters here saying that TikTok does not support AirPlay or Chromecast. Since that can be ruled out, what is the intention of this permission and is it disclosed anywhere on why do they need such access?
I'm also assuming that you know why TikTok needs access to devices on your local network? Maybe you can elaborate on this?