Would you like to see what data is coming out of TikTok when you first open it up? Let’s get to it.

Didn’t this used to be easy to do?

As security for iPhones and Androids increased it continually made viewing the traffic leaving your own device more difficult. This is in stark contrast to a regular web browser where you can easily open the network traffic for any site to see the back and forth of the network calls while you visit that site. For mobile apps, if you want to see the traffic on a computer, you need to do a proxy with a custom CA certificate. For years this was with Charles Proxy, Burpsuite and Wireshark. But apps continued to evolve and many began to put their own custom CA certificates inside the apps, meaning it was no longer enough to just forward the traffic to a proxy, you now had to unpin the SLL certificate within the app. This flow below is still possible with Charles or others, but in the end I ended up using the following tools.

  • Waydroid – Android Emulator: To install the target app
    • + Magisk for root + allowing user certificates
    • + LSPosed for SSL unpinning
  • MITM Proxy: to capture and view the decrypted traffic

If you’d like more detailed instructions for viewing TikTok HTTPS traffic you can find them on GitHub.

Installing TikTok

I got the APK from APKpure.net and installed it into the emulator. We rolled the dice on a lucky day and happened to download TikTok v33.3.3 so you’ll be seeing that number a lot later. Then with the MITM proxy running, I opened the app for the first time.

Launching TikTok

All the request in the rest of the post are fired within 2-3 seconds of launching, so lots of back and forth within the app and on the network.

Keep in mind, this is all traffic from the emulator, so there are other network requests mixed in that are not from TikTok.

The first one that is for sure from TikTok. You you can see the request to tiktokv.com/monitor/appmonitor/v3/settings with some basic settings being recorded.

GET https://mon-va.tiktokv.com/monitor/appmonitor/v3/settings?update_version_code=30107125&os=Android&app_version=3.1.7-rc.75.oversea&device_id=&channel=release&aid=2010&crash=npth HTTP/1.1
Content-Type: application/json; charset=utf-8


update_version_code: 30107125
os:                  Android
app_version:         3.1.7-rc.75.oversea
channel:             release
aid:                 2010
crash:               npth

This is followed shortly after with a Firebase installation:

POST https://firebaseinstallations.googleapis.com/v1/projects/musically-c51f4/installations HTTP/1.1
Content-Type: application/json

    "appId": "1:340331662088:android:3c6c52c4762af402",
    "authVersion": "FIS_v2",
    "fid": "cMbnNXy6QCGDpHT_mB3TXN",
    "sdkVersion": "a:17.0.1"

User Data

Here we see TikTok trying to figure out the carrier_region and network_sim_region all of which are empty due to Waydroid emulator not having a sim card.

POST https://api-boot.tiktokv.com/region/submit/?sdk_version=1.2.2&ac=mobile&channel=googleplay&aid=1233&app_name=musical_ly&version_code=330303&version_name=33.3.3&device_platform=android&os=android&ab_version=33.3.3&ssmix=a&device_type=WayDroid+x86_64+Device&device_brand=waydroid&language=en&os_api=30&os_version=11&openudid=6b623cdca1a14c25&manifest_version_code=2023303030&resolution=3456*1970&dpi=360&update_version_code=2023303030&_rticket=1706845427021&is_pad=1&app_type=normal&sys_region=US&timezone_name=Asia%2FTaipei&app_language=en&ac2=unknown&uoo=1&op_region=US&timezone_offset=28800&build_number=33.3.3&host_abi=armeabi-v7a&locale=en&region=US&ts=1706845427&cdid=e1907a45-45ae-4508-b5e2-171d7964d125 HTTP/1.1

Content-Type: application/json


    "carrier_region": "",
    "locale": "en_US",
    "mcc_mnc": "",
    "network_sim_region": "",
    "system_language": "en",
    "system_region": "US"

Now we see the main set of data coming out of the device. This information is repeated in most other requests back and forth. Let’s note some of the interesting ones:

  • op_region/sys_region: US
  • device_type: WayDroid x86_64 Device
  • device_brand: waydroid
  • language: en
  • os_api: 30
  • os_version: 11
  • openudid: 6b623cdca1a14c25
  • manifest_version_code: 2023303030
  • resolution: 3456*1970
  • dpi: 360

These are all accurate to the emulator Waydroid, running on my laptop, note the resolution. The op_region/local US and en are related to the Google Play account I am signed into with on the phone, while Asia/Taipei is the current timezone.

GET https://api-boot.tiktokv.com/passport/account/info/v2/?scene=normal&multi_login=1&account_sdk_source=app&passport-sdk-version=19&ac=mobile&channel=googleplay&aid=1233&app_name=musical_ly&version_code=330303&version_name=33.3.3&device_platform=android&os=android&ab_version=33.3.3&ssmix=a&device_type=WayDroid+x86_64+Device&device_brand=waydroid&language=en&os_api=30&os_version=11&openudid=6b623cdca1a14c25&manifest_version_code=2023303030&resolution=3456*1970&dpi=360&update_version_code=2023303030&_rticket=1706845427440&is_pad=1&app_type=normal&sys_region=US&timezone_name=Asia%2FTaipei&app_language=en&ac2=unknown&uoo=0&op_region=US&timezone_offset=28800&build_number=33.3.3&host_abi=armeabi-v7a&locale=en&region=US&ts=1706845427&cdid=e1907a45-45ae-4508-b5e2-171d7964d125&support_webview=1&okhttp_version= HTTP/1.1
Accept-Encoding: gzip
x-tt-app-init-region: carrierregion=;mccmnc=;sysregion=US;appregion=US
sdk-version: 2
x-tt-dm-status: login=0;ct=0;rt=7
X-SS-REQ-TICKET: 1706845427445
passport-sdk-version: 19
pns_event_id: 9
x-vc-bdturing-sdk-version: 2.3.5.i18n
User-Agent: com.zhiliaoapp.musically/2023303030 (Linux; U; Android 11; en_US; WayDroid x86_64 Device; Build/RQ3A.211001.001;tt-ok/
X-Khronos: 1706845427
X-Argus: 7GLcN9rck1opShLax2FYZ6IEse0/+7WsuaKmyIiBDG+6fGK3w28aOXo0P7vp+fn22ye3LeqP7I4Ae7hQ/WjqBfQLsgEqgEj/jXsiIw7KXBcp/70AXu0vGG/KKiwGBTCmPaGv38VAQGTzWfyiwLU1K7IcxJ4QInnEhmQjmzf2A6trku+NcY0FBApGxTeWBHipRBSvOrkMnuzT5hIq/99QXXgTId9ylIiqjilm9iGrk0aU3JnpA9BKsXQonstxlmpQrJqApi3c7FOVdHJs5ZwatAkRNVNXvQP5gVdQZcCrILMDcw==
X-Gorgon: 0404c05b000015eb3032a8aa4fd780a54ff4e00eabc7dc70d487
Host: api-boot.tiktokv.com
Connection: Keep-Alive

scene:                   normal
multi_login:             1
account_sdk_source:      app
passport-sdk-version:    19
ac:                      mobile
channel:                 googleplay
aid:                     1233
app_name:                musical_ly
version_code:            330303
version_name:            33.3.3
device_platform:         android
os:                      android
ab_version:              33.3.3
ssmix:                   a
device_type:             WayDroid x86_64 Device
device_brand:            waydroid
language:                en
os_api:                  30
os_version:              11
openudid:                6b623cdca1a14c25
manifest_version_code:   2023303030
resolution:              3456*1970
dpi:                     360
update_version_code:     2023303030
_rticket:                1706845427440
is_pad:                  1
app_type:                normal
sys_region:              US
timezone_name:           Asia/Taipei
app_language:            en
ac2:                     unknown
uoo:                     0
op_region:               US
timezone_offset:         28800
build_number:            33.3.3
host_abi:                armeabi-v7a
locale:                  en
region:                  US
ts:                      1706845427
cdid:                    e1907a45-45ae-4508-b5e2-171d7964d125
support_webview:         1
use_store_region_cookie: 1

Next we see calls for api-boot.tiktokv.com/aweme/v1/compliance which note that I am not a teen or child. Additionally is_new_user=0 which must mean that I’ve before downloaded TikTok with this Google account. Keep in mind, this is all within a second or two of running the app, so I assume this must be coming from Android operating system, and it’s possible last year I had installed TikTok at some point on the emulator, though I don’t remember that.

GET https://api-boot.tiktokv.com/aweme/v1/compliance/settings/?teen_mode_status=0&ftc_child_mode=-1&is_new_user=0&ac=mobile&channel=googleplay&aid=1233&app_name=musical_ly&version_code=330303


    teen_mode_status:      0
    ftc_child_mode:        -1
    is_new_user:           0

Bytes & Encoded data

Now we get to several sets of data that I am unsure how to decode. They generally were mixed in and looked like raw data as well as base64 looking encoded data inside JSONs. These were usually outgoing to log-boot.tiktokv.com/service/2/ . If anyone has some advice for how I can decode those, please let me know, I’d love to try. Below is one of the ones in a json called ‘tt_info’

tt_info: dGMFEAAAlvLESZ997zk5Px-2kAYlx-kHxuOSdiZnulg3tu52u3oUB2f5Q4YZlXJbWNffksbeHYS8

Here’s another interesting one, maybe it’s reading into it too much, but it goes to passport/device/trust_users and the response trusted_users: null makes me think I’m not yet a trusted user 🤔

POST https://api22-normal-c-useast1a.tiktokv.com/passport/device/trust_users/?iid=7330845107434735365&device_id=7330843323034600966&ac=mobile&channel=googleplay

URLEncoded form

last_login_way:      -1
last_login_time:     0

    "data": {
        "trust_users": null
    "message": "success"

This one libra was super interesting, in the RESPONSE we see some interesting things. Looks like they are testing AppsFlyer as well as something related to mac address, though unclear what it is:

GET https://libra-va.tiktokv.com/common?

    "client_hash_value": "lCGnf1lHGbMNzL6XcO6aHA==",
    "code": 0,
    "data": {
        "AWERouter_schema_intercept_switch": {
            "type": 2,
            "val": false,
            "vid": 121360057
        "AppLog_sample_switch": {
            "type": 2,
            "val": 1,
            "vid": 121347504
        "AppLog_send_callback_config": {
            "type": 2,
            "val": {
                "ban_header_list": [
                "enableDefault": true
            "vid": 121347516
        "AppsFlyRresourceExperiment": {
            "type": 2,
            "val": 1,
            "vid": 121345122
        "BA_policy_number": {
            "type": 2,
            "val": 1,
            "vid": 121376992

Setting permissions

Later on in that we also see some lists of whitelisted js (javascript?) services that likely can run in the Webview. Interestingly, there is also a large list for music as well. I tried looking into these services and many seem like likely partners for tools like captcha, payment. faceueditor I couldn’t find though.

        "_jsmanage_tt_js_auth": {
            "type": 2,
            "val": {
                "allowList": [
                "blockList": [],
                "businessLine": 3,
                "geckoUrl": "https://lf16-gecko-source.tiktokcdn.com/obj/tiktok-teko-source-sg/tt/webview/js_manage/tiktok_webview_js_inject_manage/assets/js/tt_js_auth.js",
                "injectTime": "very_beginning",
                "isUseHardCode": false,
                "name": "_jsmanage_tt_js_auth"
            "vid": 121373567
        "_jsmanage_tt_music_perf": {
            "type": 2,
            "val": {
                "allowList": [
                "blockList": [],
                "businessLine": 4,
                "geckoUrl": "https://lf16-gecko-source.tiktokcdn.com/obj/tiktok-teko-source-sg/tt/webview/js_manage/tiktok_webview_js_inject_manage/assets/js/tt_music_perf.js",
                "injectTime": "custom_manual",
                "isUseHardCode": true,
                "name": "_jsmanage_tt_music_perf"
            "vid": 121377589


And finally we see the first indications of ads with the Google Advertising ID gaid from the Waydroid device.

GET https://api-boot.tiktokv.com/tiktok/ug/landing/ads/dest/get/v1/

gaid:                  d5f9e1fb-d518-4efe-86d7-250787a2a1a7
ac:                    mobile
channel:               googleplay
aid:                   1233
app_name:              musical_ly

Followed by the install conversion event for AppsFlyer, the contents of which are just a raw hex dump I’m not sure what to do with.

POST https://conversions.appsflyer.com/api/v6.4/androidevent?app_id=com.zhiliaoapp.musically&buildnumber=6.4.0 HTTP/1.1

0000000000 b9 ce ac 61 47 19 b4 f7 4f e0 2e 56 6f 9c 0b 82   ...aG...O..Vo...
0000000010 3f 72 47 4f 50 f4 14 6e 46 f6 d6 82 37 6f 55 0a   ?rGOP..nF...7oU.
0000000020 b7 91 d0 93 7f 08 4a fb d5 93 51 cb 23 32 56 52   ......J...Q.#2VR
0000000030 7a b9 f2 49 ac f8 d4 b2 6b 40 bf 7b 52 ed 61 c9   z..I....k@.{R.a.
0000000040 18 07 29 ac 61 37 9b 4c 8a 51 7a 8d 62 3d eb ed   ..).a7.L.Qz.b=..

The response from AppsFlyer shortly after correctly identifies me as an organic (I didn’t arrive from an ad) user:

    "af_message": "organic install",
    "af_status": "Organic",
    "install_time": "2024-02-02 03:43:50.386"

Content & Terms of Service

And now we’re getting to some content, like this still JPEG:

So, now it’s 3 seconds later, and let’s see where we are in the app experience:

    "data": {
        "/aweme/v1/compliance/settings/": {
            "body": {
                "about_privacy_policy_url": "https://www.tiktok.com/legal/privacy-policy-row",
                "ad_personality_settings": {
                    "att_status": 255,
                    "is_follow_sys_config": false,
                    "is_np_user": 1,
                    "is_show_settings": false,
                    "limit_ad_tracking": false,
                    "mode": 0,
                    "need_pop_up": false,
                    "pa_revising_switch": false,
                    "pers_ad_data_received_partner_mode": 0,
                    "pers_ad_show_data_received_partner": false,
                    "pers_ad_show_third_party_networks": false,
                    "pers_ad_third_party_networks_mode": 0,
                    "unified_mode": 0
                "age_gate_info": {
                    "age_gate_action": 0,
                    "age_gate_post_action": 0,
                    "register_age_gate_action": 0
                "cmpl_enc": "UNKNOWN",
                "commercial_content_library_url": "https://www.tiktok.com/adlibrary",
                "device_limit_register_expired": true,
                "extra": {
                    "fatal_item_ids": [],
                    "logid": "20240202034347AC84497362B5DDABA59B",
                    "now": 1706845428000
                "idfa_popup_allow": false,
                "interface_control_settings": "{\"rules\":null,\"use_new_control\":true,\"user_type\":\"-1\",\"version\":\"11\"}",
                "log_pb": {
                    "impr_id": "20240202034347AC84497362B5DDABA59B"
                "parental_guardian_name": "Family Pairing",
                "policy_info_list": [
                        "policy_key": "privacy-policy",
                        "policy_url": "https://www.tiktok.com/legal/privacy-policy"
                        "policy_key": "terms-of-service",
                        "policy_url": "https://www.tiktok.com/legal/terms-of-service"
                        "policy_key": "tiktok-shoutouts-user-terms-of-service",
                        "policy_url": "https://www.tiktok.com/legal/tiktok-shoutouts-user-terms-of-service"
                        "policy_key": "cookie-policy",
                        "policy_url": "https://www.tiktok.com/legal/cookie-policy"
                        "policy_key": "virtual-items",
                        "policy_url": "https://www.tiktok.com/legal/virtual-items"
                        "policy_key": "rewards-policy-eea",
                        "policy_url": "https://www.tiktok.com/legal/rewards-policy-eea"
                        "policy_key": "privacy-policy-for-younger-users",
                        "policy_url": "https://www.tiktok.com/legal/privacy-policy-for-younger-users"
                        "policy_key": "copyright-policy",
                        "policy_url": "https://www.tiktok.com/legal/copyright-policy"
                        "policy_key": "changes-to-personalised-advertising-in-the-eea",
                        "policy_url": "https://www.tiktok.com/legal/changes-to-personalised-advertising-in-the-eea"
                "policy_notice_enable": true,
                "status_code": 0,
                "terms_consent_for_register_info_new_users": {
                    "checkbox_agree_all_terms": "Agree to all",
                    "checkbox_privacy_policy": "Consent to the collection and use of personal information (Required)",
                    "checkbox_terms_of_use": "Consent to the Terms of Service (Required)",
                    "checkbox_tr_notification_subtitle": "Get notifications about trending videos and promotions on TikTok. You can review and edit your settings at any time. Not allowing this type of notification does not limit your use of the TikTok service.",
                    "checkbox_tr_notification_title": "Consent to the receipt of trending content and promotional notifications (Optional)",
                    "tiktok_privacy_policy_url": "https://www.tiktok.com/legal/terms-and-conditions-kr?lang=ko-KR",
                    "tiktok_terms_of_use_url": "https://www.tiktok.com/legal/page/row/terms-of-service/ko-KR",
                    "title": "Terms and conditions"

Let’s tap agree and see what happens.

POST https://api22-normal-c-useast1a.tiktokv.com/consent/api/record/create/v1?...

entity_keys:   conditions-policy-device-consent
business_flow: consent_box
status:        1

And an updated set of compliance, similar to the one from above.

GET https://api22-normal-c-useast1a.tiktokv.com/aweme/v1/compliance/settings/?teen_mode_status=0&ftc_child_mode=-1&is_new_user=0

    "about_privacy_policy_url": "https://www.tiktok.com/legal/privacy-policy-row",
    "ad_personality_settings": {
        "ad_free_subscription": {
            "subscription_mode": 0
        "att_status": 255,
        "description": "With this setting, the ads you see on TikTok can be more tailored to your interests based on data that advertising partners share with us about your activity on their apps and websites.\nYou will always see ads on TikTok based on what you do on TikTok or other data described in our privacy policy.",
        "disable_att_overwrite_pa": 1,
        "enable_toggle_decoupling": true,
        "is_follow_sys_config": false,
        "is_new_user": 1,
        "is_np_user": 0,
        "is_show_3p_data_control": false,
        "is_show_reset_entry": false,
        "is_show_settings": true,
        "is_teenager_mode": 0,
        "limit_ad_tracking": false,
        "mode": 1,
        "need_pop_up": false,
        "pa_revising_switch": false,
        "pers_ad_data_received_partner_mode": 0,
        "pers_ad_main_mode_title": "Using Off-TikTok activity for ad targeting",
        "pers_ad_show_data_received_partner": false,
        "pers_ad_show_interest_label": true,
        "pers_ad_show_third_part_measurement": false,
        "pers_ad_show_third_party_networks": false,
        "pers_ad_third_party_networks_mode": 0,
        "show_advertiser_settings": true,
        "unified_mode": 0,
        "use_new_interests": 1
    "age_gate_info": {
        "age_gate_action": 0,
        "age_gate_post_action": 0,
        "register_age_gate_action": 2

After Terms Of Service: And we’re off!

The app shows the video stream and the API requests are flying back and forth now, many a second, so there’s lots more to look at next time. Overall the data seems pretty standard with a few interesting things to look into like the still encrypted data, the connected services and of course, everything after you agree to those Terms of Service.