TikTok: What is an app log?

4 minutes read

TikTok: What is an app log?

Since my first article, TikTok: Logs, Logs, Logs, a lot of things happened.

It’s time to continue our journey. Let’s stick to the facts to better understand what TikTok is really doing under the hood.

Disclaimer

  • TikTok offers plethora of features to their users thanks to its millions of lines worth of code. As such, a single article can not cover a question as broad and nebulous as “does TikTok pose a threat to US national security?”. That’s why I’ll cover the matter over several articles all focused on specific subjects.

  • My name is Baptiste Robert, I’m a French security researcher. I’ve been analysing mobile apps for years. You can find my public work at fs0c131y.com/press and my stupid tweets at twitter.com/fs0c131y.

  • My goal here is to be totally transparent. I will share everything you need to verify what I’ve written in this article.

  • If you’d like to skip the technical details, a TL;DR is available at the end of the article.

I) Introduction

In my previous article, TikTok: Logs, Logs, Logs, I decrypted the content of the app_log network requests made by TikTok.

After decrypting, a question remained:

Event logging. I’d need to take a closer look at what they consider to be “events” but as far as I can tell, it seems to be a pretty standard analytics solution.

In this article, I will answer the following question: What is the definition of an app log for TikTok?

II) What is a TikTok app log?

Our starting point is the app_log keyword. In order to understand how TikTok handles the app logs, I decompiled the app and analysed the source code. I quickly found the definition of the ss_app_log.db in the DBHelper class.

This is interesting, TikTok uses a local database to store the app logs. I inspected my test phone to confirm.

As you can see, TikTok creates a lot of databases. If you open the ss_app_log.db, you can find some data in the event tables.

But let’s go back to the code and the DBHelper class defined in the com.ss.android.common.applog package. Obviously, we are interested in understanding what TikTok inserts in ss_app_log.db

The signatures of these methods give us 3 new objects: LogEvent, LogPage, LogSession

That answers our initial question! A TikTok app log can be a LogEvent, LogPage or LogSession.

III) What is (really) inside these app logs?

Great, I found definitions of the different log objects, but what is TikTok really sending?

It’s time to use Frida to intercept the 6 insert methods of the DBHelper class

Thanks to this method, I obtained the details of all the app logs created by TikTok when I used the app. Here an example of a Log Session, a Log Event, a Log and a Misc Log.

I also published a full list of app logs created by TikTok during an app launch: https://gist.github.com/fs0c131y/b4ef278e8863c636964793e1b27f889d

Do these logs contain personal data? Not really. The most you can find is data about your device (os, os version, device model, device brand, display density, …) but that’s pretty much it.

TLDR

In this article, I define TikTok app logs. I found definitions for the different types of logs and observed them being created dynamically. After analysis, it appears that app logs do not contain personal data.

With these 2 articles we have a good overview of the TikTok app logs. The next article will be dedicated to the WSJ revelation and how TikTok used a well known trick on Android to obtain the MAC address of the user’s devices.

Don’t forget to follow me on Twitter and if you have questions don’t hesitate to sent me a message on Twitter or by email at fs0c131y@protonmail.com