Skip to content

James O'Claire

My personal site

Menu
  • Home
  • Projects
    • Projects Overview
    • App Goblin: App Scraper
    • Android Apps
    • Ads Data Dash
  • Contact
Menu

Is this a TikTok security vulnerablity for ad fraud?

Posted on February 5, 2024October 6, 2024 by James O'Claire

I de-compiled TikTok (“com.zhiliaoapp.musically” v33.3.3 from Feb 2nd, 2024) from ApkPure.net and noticed that the way it called AppsFlyer looked a bit different than what I expected and quickly led me to a GitHub issue which makes it seem like they are using an outdated way to collect install information from Google Play which may have security vulnerabilities. Particularly, could a malicious app use this to ‘steal’ TikTok install attributions?

In this setup you see that TikTok is using a receiver com.appsflyer.SingleInstallBroadcastReceiver to listen for the com.android.vending.INSTALL_REFERRER event. This might allow a malicious app to listen for for the INSTALL_REFERRER event. You can see this is not recommended by AppsFlyer in this GitHub issue and is not their recommended installation setup.

<application>
 <receiver android:exported="true" android:name="com.appsflyer.MultipleInstallBroadcastReceiver">
        	<intent-filter>
            	<action android:name="com.android.vending.INSTALL_REFERRER"/>
        	</intent-filter>
    </receiver>
    <receiver android:exported="true" android:name="com.appsflyer.SingleInstallBroadcastReceiver">
        	<intent-filter>
            	<action android:name="com.android.vending.INSTALL_REFERRER"/>
        	</intent-filter>
    </receiver>
</application>

The right way?

This is the standard way that the AppsFlyer setup will be implemented, which in turn will use the google store referrer.

   <queries>
        <intent>
            <action android:name="com.appsflyer.referrer.INSTALL_PROVIDER"/>
        </intent>
   </queries>

I think the potential here might that if this version of TikTok is leaking the INSTALL_REFERRER data then

  • It could provide a malicious app valuable information in attempting to steal information about the source of TikTok’s users.
  • Additionally, a malicious app might be able to perform click jacking given that they know some information about the source of the install very early on.
  • And finally since the INSTALL_REFERRER is broadly scoped the malicious app could then send the a false INSTALL_REFERRER which TikTok may not be able to validate.

Categories

  • Development
  • Mobile Marketing and Advertising
  • Uncategorized

Recent Posts

  • Apple: The Silent Advertising Monopoly
  • Watching the Watchers: What to track when tracking app trackers?
  • Free Mobile App ASO Tools: Fastest Growing Apps & Keyword Research added to AppGoblin
  • 2025 How to Sniff Android HTTPS Traffic with Waydroid & mitm-proxy
  • Easiest way to get Tanstack Table v8 working with Svelte 5!

Recent Comments

    Archives

    • May 2025
    • April 2025
    • March 2025
    • February 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • March 2024
    • February 2024
    • January 2024
    • November 2023
    • October 2023
    • September 2023
    • October 2022
    • April 2016
    • March 2016
    • February 2016

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    © 2025 James O'Claire | Powered by Minimalist Blog WordPress Theme