Originally published in the TikTok newsroom.
We welcome legitimate review of our platform and know that staying ahead of next-generation cyber threats requires us to continuously strengthen the security of our platform and collaborate with industry-leading experts to test our defences. That's why we partner with industry leaders such as HackerOne, and it's also why we open the doors of our global Transparency and Accountability Centres for people to learn about source code and how our application’s algorithm operates.
On 13 February, the Malcore team at Internet 2.0, which describes itself as a joint US and Australian cybersecurity company, published an industry analysis that is at best misleading and at worst a severely flawed and biased analysis. According to the report, Malcore is an automated analysis tool designed to scan files and programs, detect malware and assess risk. Yet by their own admission, the Malcore team used the tool to perform an inconclusive analysis that didn't include a detailed source code review. Their results contained a number of inaccuracies that should cast doubt on the validity of their findings.
In response, we had our own researchers conduct a technical analysis of Malcore's findings and below is what we found.
An SDK is a set of tools that help software developers create applications for a specific platform. We have a process to assess the overall security risk of any SDKs integrated with TikTok. In three cases, the Malcore team incorrectly identified SDK integrations. TikTok does not use Pangle, Google CrashLytics or Facebook Analytics SDKs. We use the remainder of the SDKs cited in the Malcore analysis in the following ways:
The Malcore team has not offered any explanation of the scoring system that scored TikTok the highest (worst) at 63.1, as compared to the industry standard of 34 for all other major social media apps and average score of 28.8 for all 21 apps.
The report arbitrarily lists the assigned score weights for five factors: tracker/SDKs, dangerous permission, high severity warning for code analysis results, suspicious permission and severity warning for code analysis results. There is no explanation of why or how these five factors were chosen.
Additionally, there's no explanation or external justification for why each factor is assigned the score it's been assigned, with trackers/SDKs given the highest score of 2.5 as compared to the second factor at 0.25 (10 times less) or the fifth factor (50 times less). Changing how any one category is scored would radically alter the risk scores for TikTok and the other apps.
Notably, the report itself acknowledges that "trackers normally are a legitimate software development kit (SDK) designed to help developers understand how their apps are being used, resolve potential issues and improve their software". The skewed weighting of SDKs doesn't take into account, for example, that some companies use a master SDK, which would make the number of SDKs an even less meaningful factor to assess risk. In short, Malcore's scoring system simply doesn't make sense.
At TikTok, the privacy and security of the people who use our platform are among our highest priorities. We take our responsibility to safeguard people's privacy and security seriously and devote considerable resources to achieve this goal. We plan to continue to provide updates on our practices in our newsroom, help centre and privacy policies.