I de-compiled TikTok (“com.zhiliaoapp.musically” v33.3.3 from Feb 2nd, 2024) from ApkPure.net and noticed that the way it called AppsFlyer looked a bit different than what I expected and quickly led me to a GitHub issue which makes it seem like they are using an outdated way to collect install information from Google Play which may have security vulnerabilities. Particularly, could a malicious app use this to ‘steal’ TikTok install attributions?
In this setup you see that TikTok is using a receiver com.appsflyer.SingleInstallBroadcastReceiver to listen for the com.android.vending.INSTALL_REFERRER event. This might allow a malicious app to listen for for the INSTALL_REFERRER event. You can see this is not recommended by AppsFlyer in this GitHub issue and is not their recommended installation setup.
<application>
<receiver android:exported="true" android:name="com.appsflyer.MultipleInstallBroadcastReceiver">
<intent-filter>
<action android:name="com.android.vending.INSTALL_REFERRER"/>
</intent-filter>
</receiver>
<receiver android:exported="true" android:name="com.appsflyer.SingleInstallBroadcastReceiver">
<intent-filter>
<action android:name="com.android.vending.INSTALL_REFERRER"/>
</intent-filter>
</receiver>
</application>
The right way?
This is the standard way that the AppsFlyer setup will be implemented, which in turn will use the google store referrer.
<queries>
<intent>
<action android:name="com.appsflyer.referrer.INSTALL_PROVIDER"/>
</intent>
</queries>
I think the potential here might that if this version of TikTok is leaking the INSTALL_REFERRER data then
- It could provide a malicious app valuable information in attempting to steal information about the source of TikTok’s users.
- Additionally, a malicious app might be able to perform click jacking given that they know some information about the source of the install very early on.
- And finally since the
INSTALL_REFERRERis broadly scoped the malicious app could then send the a false INSTALL_REFERRER which TikTok may not be able to validate.