Is this a TikTok security vulnerablity for ad fraud?

I de-compiled TikTok (“com.zhiliaoapp.musically” v33.3.3 from Feb 2nd, 2024) from ApkPure.net and noticed that the way it called AppsFlyer looked a bit different than what I expected and quickly led me to a GitHub issue which makes it seem like they are using an outdated way to collect install information from Google Play which may have security vulnerabilities. Particularly, could a malicious app use this to ‘steal’ TikTok install attributions?

In this setup you see that TikTok is using a receiver com.appsflyer.SingleInstallBroadcastReceiver to listen for the com.android.vending.INSTALL_REFERRER event. This might allow a malicious app to listen for for the INSTALL_REFERRER event. You can see this is not recommended by AppsFlyer in this GitHub issue and is not their recommended installation setup.

<application>
 <receiver android:exported="true" android:name="com.appsflyer.MultipleInstallBroadcastReceiver">
        	<intent-filter>
            	<action android:name="com.android.vending.INSTALL_REFERRER"/>
        	</intent-filter>
    </receiver>
    <receiver android:exported="true" android:name="com.appsflyer.SingleInstallBroadcastReceiver">
        	<intent-filter>
            	<action android:name="com.android.vending.INSTALL_REFERRER"/>
        	</intent-filter>
    </receiver>
</application>

The right way?

This is the standard way that the AppsFlyer setup will be implemented, which in turn will use the google store referrer.

   <queries>
        <intent>
            <action android:name="com.appsflyer.referrer.INSTALL_PROVIDER"/>
        </intent>
   </queries>

I think the potential here might that if this version of TikTok is leaking the INSTALL_REFERRER data then

  • It could provide a malicious app valuable information in attempting to steal information about the source of TikTok’s users.
  • Additionally, a malicious app might be able to perform click jacking given that they know some information about the source of the install very early on.
  • And finally since the INSTALL_REFERRER is broadly scoped the malicious app could then send the a false INSTALL_REFERRER which TikTok may not be able to validate.