Is this a TikTok security vulnerablity for ad fraud?

I de-compiled TikTok (“com.zhiliaoapp.musically” v33.3.3 from Feb 2nd, 2024) from ApkPure.net and noticed that the way it called AppsFlyer looked a bit different than what I expected and quickly led me to a GitHub issue which makes it seem like they are using an outdated way to collect install information from Google Play which may have security vulnerabilities. Particularly, could a malicious app use this to ‘steal’ TikTok install attributions?

In this setup you see that TikTok is using a receiver com.appsflyer.SingleInstallBroadcastReceiver to listen for the com.android.vending.INSTALL_REFERRER event. This might allow a malicious app to listen for for the INSTALL_REFERRER event. You can see this is not recommended by AppsFlyer in this GitHub issue and is not their recommended installation setup.

<application>
 <receiver android:exported="true" android:name="com.appsflyer.MultipleInstallBroadcastReceiver">
        	<intent-filter>
            	<action android:name="com.android.vending.INSTALL_REFERRER"/>
        	</intent-filter>
    </receiver>
    <receiver android:exported="true" android:name="com.appsflyer.SingleInstallBroadcastReceiver">
        	<intent-filter>
            	<action android:name="com.android.vending.INSTALL_REFERRER"/>
        	</intent-filter>
    </receiver>
</application>

The right way?

This is the standard way that the AppsFlyer setup will be implemented, which in turn will use the google store referrer.

   <queries>
        <intent>
            <action android:name="com.appsflyer.referrer.INSTALL_PROVIDER"/>
        </intent>
   </queries>

I think the potential here might that if this version of TikTok is leaking the INSTALL_REFERRER data then

  • It could provide a malicious app valuable information in attempting to steal information about the source of TikTok’s users.
  • Additionally, a malicious app might be able to perform click jacking given that they know some information about the source of the install very early on.
  • And finally since the INSTALL_REFERRER is broadly scoped the malicious app could then send the a false INSTALL_REFERRER which TikTok may not be able to validate.

Before You Agree: What data does TikTok collect before Terms of Service?

Would you like to see what data is coming out of TikTok when you first open it up? Let’s get to it.

Didn’t this used to be easy to do?

As security for iPhones and Androids increased it continually made viewing the traffic leaving your own device more difficult. This is in stark contrast to a regular web browser where you can easily open the network traffic for any site to see the back and forth of the network calls while you visit that site. For mobile apps, if you want to see the traffic on a computer, you need to do a proxy with a custom CA certificate. For years this was with Charles Proxy, Burpsuite and Wireshark. But apps continued to evolve and many began to put their own custom CA certificates inside the apps, meaning it was no longer enough to just forward the traffic to a proxy, you now had to unpin the SLL certificate within the app. This flow below is still possible with Charles or others, but in the end I ended up using the following tools.

  • Waydroid – Android Emulator: To install the target app
    • + Magisk for root + allowing user certificates
    • + LSPosed for SSL unpinning
  • MITM Proxy: to capture and view the decrypted traffic

If you’d like more detailed instructions for viewing TikTok HTTPS traffic you can find them on GitHub.

Installing TikTok

I got the APK from APKpure.net and installed it into the emulator. We rolled the dice on a lucky day and happened to download TikTok v33.3.3 so you’ll be seeing that number a lot later. Then with the MITM proxy running, I opened the app for the first time.

Launching TikTok

All the request in the rest of the post are fired within 2-3 seconds of launching, so lots of back and forth within the app and on the network.

Keep in mind, this is all traffic from the emulator, so there are other network requests mixed in that are not from TikTok.


The first one that is for sure from TikTok. You you can see the request to tiktokv.com/monitor/appmonitor/v3/settings with some basic settings being recorded.

GET https://mon-va.tiktokv.com/monitor/appmonitor/v3/settings?update_version_code=30107125&os=Android&app_version=3.1.7-rc.75.oversea&device_id=&channel=release&aid=2010&crash=npth HTTP/1.1
Content-Type: application/json; charset=utf-8

Query

update_version_code: 30107125
os:                  Android
app_version:         3.1.7-rc.75.oversea
device_id:           
channel:             release
aid:                 2010
crash:               npth

This is followed shortly after with a Firebase installation:

POST https://firebaseinstallations.googleapis.com/v1/projects/musically-c51f4/installations HTTP/1.1
Content-Type: application/json

{
    "appId": "1:340331662088:android:3c6c52c4762af402",
    "authVersion": "FIS_v2",
    "fid": "cMbnNXy6QCGDpHT_mB3TXN",
    "sdkVersion": "a:17.0.1"
}

User Data

Here we see TikTok trying to figure out the carrier_region and network_sim_region all of which are empty due to Waydroid emulator not having a sim card.

POST https://api-boot.tiktokv.com/region/submit/?sdk_version=1.2.2&ac=mobile&channel=googleplay&aid=1233&app_name=musical_ly&version_code=330303&version_name=33.3.3&device_platform=android&os=android&ab_version=33.3.3&ssmix=a&device_type=WayDroid+x86_64+Device&device_brand=waydroid&language=en&os_api=30&os_version=11&openudid=6b623cdca1a14c25&manifest_version_code=2023303030&resolution=3456*1970&dpi=360&update_version_code=2023303030&_rticket=1706845427021&is_pad=1&app_type=normal&sys_region=US&timezone_name=Asia%2FTaipei&app_language=en&ac2=unknown&uoo=1&op_region=US&timezone_offset=28800&build_number=33.3.3&host_abi=armeabi-v7a&locale=en&region=US&ts=1706845427&cdid=e1907a45-45ae-4508-b5e2-171d7964d125 HTTP/1.1

Content-Type: application/json

JSON
  

{
    "carrier_region": "",
    "locale": "en_US",
    "mcc_mnc": "",
    "network_sim_region": "",
    "system_language": "en",
    "system_region": "US"
}

Now we see the main set of data coming out of the device. This information is repeated in most other requests back and forth. Let’s note some of the interesting ones:

  • op_region/sys_region: US
  • device_type: WayDroid x86_64 Device
  • device_brand: waydroid
  • language: en
  • os_api: 30
  • os_version: 11
  • openudid: 6b623cdca1a14c25
  • manifest_version_code: 2023303030
  • resolution: 3456*1970
  • dpi: 360

These are all accurate to the emulator Waydroid, running on my laptop, note the resolution. The op_region/local US and en are related to the Google Play account I am signed into with on the phone, while Asia/Taipei is the current timezone.

GET https://api-boot.tiktokv.com/passport/account/info/v2/?scene=normal&multi_login=1&account_sdk_source=app&passport-sdk-version=19&ac=mobile&channel=googleplay&aid=1233&app_name=musical_ly&version_code=330303&version_name=33.3.3&device_platform=android&os=android&ab_version=33.3.3&ssmix=a&device_type=WayDroid+x86_64+Device&device_brand=waydroid&language=en&os_api=30&os_version=11&openudid=6b623cdca1a14c25&manifest_version_code=2023303030&resolution=3456*1970&dpi=360&update_version_code=2023303030&_rticket=1706845427440&is_pad=1&app_type=normal&sys_region=US&timezone_name=Asia%2FTaipei&app_language=en&ac2=unknown&uoo=0&op_region=US&timezone_offset=28800&build_number=33.3.3&host_abi=armeabi-v7a&locale=en&region=US&ts=1706845427&cdid=e1907a45-45ae-4508-b5e2-171d7964d125&support_webview=1&okhttp_version=4.2.137.48-tiktok&use_store_region_cookie=1 HTTP/1.1
Accept-Encoding: gzip
x-tt-app-init-region: carrierregion=;mccmnc=;sysregion=US;appregion=US
sdk-version: 2
x-tt-dm-status: login=0;ct=0;rt=7
X-SS-REQ-TICKET: 1706845427445
passport-sdk-version: 19
pns_event_id: 9
x-vc-bdturing-sdk-version: 2.3.5.i18n
User-Agent: com.zhiliaoapp.musically/2023303030 (Linux; U; Android 11; en_US; WayDroid x86_64 Device; Build/RQ3A.211001.001;tt-ok/3.12.13.4-tiktok)
X-Ladon: T3YLBE4LXYRR2+5qAqfacGfZklgSFiMMsQJG+LLwWS/K2KTv
X-Khronos: 1706845427
X-Argus: 7GLcN9rck1opShLax2FYZ6IEse0/+7WsuaKmyIiBDG+6fGK3w28aOXo0P7vp+fn22ye3LeqP7I4Ae7hQ/WjqBfQLsgEqgEj/jXsiIw7KXBcp/70AXu0vGG/KKiwGBTCmPaGv38VAQGTzWfyiwLU1K7IcxJ4QInnEhmQjmzf2A6trku+NcY0FBApGxTeWBHipRBSvOrkMnuzT5hIq/99QXXgTId9ylIiqjilm9iGrk0aU3JnpA9BKsXQonstxlmpQrJqApi3c7FOVdHJs5ZwatAkRNVNXvQP5gVdQZcCrILMDcw==
X-Gorgon: 0404c05b000015eb3032a8aa4fd780a54ff4e00eabc7dc70d487
Host: api-boot.tiktokv.com
Connection: Keep-Alive
Query
  

scene:                   normal
multi_login:             1
account_sdk_source:      app
passport-sdk-version:    19
ac:                      mobile
channel:                 googleplay
aid:                     1233
app_name:                musical_ly
version_code:            330303
version_name:            33.3.3
device_platform:         android
os:                      android
ab_version:              33.3.3
ssmix:                   a
device_type:             WayDroid x86_64 Device
device_brand:            waydroid
language:                en
os_api:                  30
os_version:              11
openudid:                6b623cdca1a14c25
manifest_version_code:   2023303030
resolution:              3456*1970
dpi:                     360
update_version_code:     2023303030
_rticket:                1706845427440
is_pad:                  1
app_type:                normal
sys_region:              US
timezone_name:           Asia/Taipei
app_language:            en
ac2:                     unknown
uoo:                     0
op_region:               US
timezone_offset:         28800
build_number:            33.3.3
host_abi:                armeabi-v7a
locale:                  en
region:                  US
ts:                      1706845427
cdid:                    e1907a45-45ae-4508-b5e2-171d7964d125
support_webview:         1
okhttp_version:          4.2.137.48-tiktok
use_store_region_cookie: 1

Next we see calls for api-boot.tiktokv.com/aweme/v1/compliance which note that I am not a teen or child. Additionally is_new_user=0 which must mean that I’ve before downloaded TikTok with this Google account. Keep in mind, this is all within a second or two of running the app, so I assume this must be coming from Android operating system, and it’s possible last year I had installed TikTok at some point on the emulator, though I don’t remember that.

GET https://api-boot.tiktokv.com/aweme/v1/compliance/settings/?teen_mode_status=0&ftc_child_mode=-1&is_new_user=0&ac=mobile&channel=googleplay&aid=1233&app_name=musical_ly&version_code=330303

Query

    teen_mode_status:      0
    ftc_child_mode:        -1
    is_new_user:           0

Bytes & Encoded data

Now we get to several sets of data that I am unsure how to decode. They generally were mixed in and looked like raw data as well as base64 looking encoded data inside JSONs. These were usually outgoing to log-boot.tiktokv.com/service/2/ . If anyone has some advice for how I can decode those, please let me know, I’d love to try. Below is one of the ones in a json called ‘tt_info’

tt_info: dGMFEAAAlvLESZ997zk5Px-2kAYlx-kHxuOSdiZnulg3tu52u3oUB2f5Q4YZlXJbWNffksbeHYS8
fVPOICA0eRZ_HNph_GdODKIqUG7rHpJXoyo_MaqR8AAtXHFVaHOflwjqxcMO6hq_94eqktKGSD2b
geQOYn4dT9SegkOvBAgp8EK_wvB88CIeiF9nydl1ep-BmZfiz4PTVQTRiLzlQCOlP-Y4zhzSMVip
w5T1oZmsVg0AwkLVMEO0pm56uIxxtKJDwH00px-oSnnf8P5CxtAWxNaVHTRUw27sLRxggc6O5Y0Z
6LZdcORCFTwTEqTEpzbAtxIZmutVjU_IXYenztd5Xqv6OoQBYtDsuB6cHBihG4GUW-lRF3f6z6-C
Mi55QsM9_8EE2pRZr2Z4xNZPWnJHQMWvfHHPGF0hvbaYDls-EhnH1HNK0wZaRGbCBxE0SDd8kDB1
G8buDOg4XsqsaKKZWIQTe9EAZLkhMWRpOja1_mUXxhHFDOcJoZcxo2rErrQRLjTnK40FktrjiD3U
jedjB_6Pq3VNVQO_vuXoC5NsepWQyqWbBIwu7VtAcLQoa_AAlqYt7zn9wvcfii1rhHaS7f2V6E3U
sIouBAgQAjX6MKePQWRlEhOggFBQHoLd74z4ccrRxdu1wj0QmeGVcQdzXY7nyKQ8z8qF5CnohC3F
gSb0ar6vgGuZNmBng-FiLe7N7lY32lyLRZO3B1hZEe04tms_OFta-nDyJocxKjn0vGIaYvFdV4HF
H3JdVClIpd6Iomd4

Here’s another interesting one, maybe it’s reading into it too much, but it goes to passport/device/trust_users and the response trusted_users: null makes me think I’m not yet a trusted user 🤔

POST https://api22-normal-c-useast1a.tiktokv.com/passport/device/trust_users/?iid=7330845107434735365&device_id=7330843323034600966&ac=mobile&channel=googleplay

URLEncoded form

last_sec_user_id:    
d_ticket:            
last_login_way:      -1
last_login_time:     0
last_login_platform: 

RESPONSE:
{
    "data": {
        "trust_users": null
    },
    "message": "success"
}

This one libra was super interesting, in the RESPONSE we see some interesting things. Looks like they are testing AppsFlyer as well as something related to mac address, though unclear what it is:

GET https://libra-va.tiktokv.com/common?
...

RESPONSE:
{
    "client_hash_value": "lCGnf1lHGbMNzL6XcO6aHA==",
    "code": 0,
    "data": {
        "AWERouter_schema_intercept_switch": {
            "type": 2,
            "val": false,
            "vid": 121360057
        },
        "AppLog_sample_switch": {
            "type": 2,
            "val": 1,
            "vid": 121347504
        },
        "AppLog_send_callback_config": {
            "type": 2,
            "val": {
                "ban_header_list": [
                    "mc",
                    "mac_address"
                ],
                "enableDefault": true
            },
            "vid": 121347516
        },
        "AppsFlyRresourceExperiment": {
            "type": 2,
            "val": 1,
            "vid": 121345122
        },
        "BA_policy_number": {
            "type": 2,
            "val": 1,
            "vid": 121376992
        },
...

Setting permissions

Later on in that we also see some lists of whitelisted js (javascript?) services that likely can run in the Webview. Interestingly, there is also a large list for music as well. I tried looking into these services and many seem like likely partners for tools like captcha, payment. faceueditor I couldn’t find though.

        "_jsmanage_tt_js_auth": {
            "type": 2,
            "val": {
                "allowList": [
                    ".sgsnssdk.com",
                    ".isnssdk.com",
                    ".byteoversea.com",
                    ".tiktokcdn.com",
                    ".whizsolve.com",
                    ".snapsolve.com",
                    ".faceueditor.com",
                    ".tiktok.com",
                    ".tiktokv.com",
                    ".ibytedtos.com",
                    ".immers.page",
                    ".capcut.net",
                    ".byteintl.com",
                    ".tiktokcdn-us.com",
                    ".tiktokv-us.com",
                    ".ttwstatic.com",
                    ".soundon.global",
                    ".pipopay.com",
                    ".oneunita.com",
                    ".pipopayment.com",
                    ".g-p-static.com",
                    ".ttlstatic.com",
                    ".tiktokv-eu.com",
                    ".oecstatic.com",
                    ".tiktokv.eu",
                    ".tiktokv.us",
                    ".ttadsmanager.com"
                ],
                "blockList": [],
                "businessLine": 3,
                "geckoUrl": "https://lf16-gecko-source.tiktokcdn.com/obj/tiktok-teko-source-sg/tt/webview/js_manage/tiktok_webview_js_inject_manage/assets/js/tt_js_auth.js",
                "injectTime": "very_beginning",
                "isUseHardCode": false,
                "name": "_jsmanage_tt_js_auth"
            },
            "vid": 121373567
        },
        "_jsmanage_tt_music_perf": {
            "type": 2,
            "val": {
                "allowList": [
                    ".tickets.com",
                    "ticketmaster.",
                    "ticketmaster.at",
                    "ticketmaster.be",
                    "ticketmaster.ch",
                    "ticketmaster.co.nz",
                    "ticketmaster.co.uk",
                    "ticketmaster.com",
                    "ticketmaster.com.au",
                    "ticketmaster.cz",
                    "ticketmaster.ca",
                    "ticketmaster.de",
                    "ticketmaster.dk",
                    "ticketmaster.es",
                    "ticketmaster.fi",
                    "ticketmaster.fr",
                    "ticketmaster.ie",
                    "ticketmaster.it",
                    "ticketmaster.no",
                    "ticketmaster.pl",
                    "ticketmaster.se",
                    "ticketmastergiftcard",
                    "ticketmastergiftcard.com",
                    "ticketmasterpartners.",
                    "tickets.janto.es",
                    "ticketweb.co.uk",
                    "ticketweb.uk",
                    "universe.com",
                    "ticketmaster.evyy.net",
                    ".ticketmaster.",
                    ".ticketmaster.net",
                    ".admission.",
                    ".altitudetickets.",
                    ".amptickets.",
                    ".artsiowa.",
                    ".austintheatre.org.",
                    ".axs.",
                    ".baltimoresoundstage.",
                    ".banknhpavilion.",
                    ".broadwaycenter.org.",
                    ".carolinatix.org.",
                    ".centurylinkarenaboise.",
                    ".chastainseries.",
                    ".cirk.me.",
                    ".cirquedusoliel.",
                    ".cubs.",
                    ".etix.",
                    ".eventbrite.",
                    ".evenue.",
                    ".evenue.net.",
                    ".fgtix.",
                    ".fgtix.to.",
                    ".frontgatetickets.",
                    ".gracelandlive.",
                    ".houstontoyotacenter.",
                    ".ictickets.",
                    ".indians.",
                    ".insomniacshop.",
                    ".instagram.",
                    ".kcstarlight.",
                    ".knoxvilletickets.",
                    ".legendsinconcert.",
                    ".livemu.sc.",
                    ".livenation.",
                    ".livenationpremiumseats.",
                    ".livenationpremiumtickets.",
                    ".lnpromos.com.",
                    ".megaticket.",
                    ".metrapark.",
                    ".mets.",
                    ".mlb.",
                    ".mobilitus.net",
                    ".moshtix.co.nz",
                    ".moshtix.com.au",
                    ".mountbakertheatre.",
                    ".nationals.",
                    ".oceanicentertainment.",
                    ".osheaga.",
                    ".pabsttheater.org.",
                    ".playhousesquare.org.",
                    ".redsox.",
                    ".rutheckerdhall.",
                    ".seetickets.us",
                    ".selectaseat.",
                    ".selectaseatlubbock.",
                    ".shops.ticketmasterpartners.",
                    ".smithstix.",
                    ".spokanearena.",
                    ".strazcenter.org.",
                    ".stubwire.",
                    ".theqarena.",
                    ".ticketalternative.",
                    ".ticketexchangebyticketmaster.",
                    ".ticketf.ly.",
                    ".ticketfly.",
                    ".ticketingcentral.",
                    ".ticketomaha.",
                    ".tickets.",
                    ".ticketsnow.",
                    ".ticketstoday.",
                    ".ticketweb.",
                    ".tigers.",
                    ".toyotacenter.",
                    ".twitch.",
                    ".universe.",
                    ".unlvtickets.",
                    ".upstreammusicfestival.",
                    ".veeps.",
                    ".vendini.",
                    ".vipnation.",
                    ".visulite.",
                    ".waneefestival.",
                    ".wellsfargocenterphilly.",
                    ".wolsteincenter.",
                    ".youtube.",
                    "fgtix.to.",
                    "found.ee.",
                    ".tmdev.co",
                    ".tmtickets.se",
                    "billetnet.dk",
                    "downloadfestival.co.uk",
                    "eticketing.co.uk",
                    "frontgatetickets.com",
                    "moshtix.co.nz",
                    "moshtix.com.au",
                    "rlwc2021.com",
                    "shops.ticketmasterpartners.com"
                ],
                "blockList": [],
                "businessLine": 4,
                "geckoUrl": "https://lf16-gecko-source.tiktokcdn.com/obj/tiktok-teko-source-sg/tt/webview/js_manage/tiktok_webview_js_inject_manage/assets/js/tt_music_perf.js",
                "injectTime": "custom_manual",
                "isUseHardCode": true,
                "name": "_jsmanage_tt_music_perf"
            },
            "vid": 121377589
        },

Advertising

And finally we see the first indications of ads with the Google Advertising ID gaid from the Waydroid device.

GET https://api-boot.tiktokv.com/tiktok/ug/landing/ads/dest/get/v1/

Query
gaid:                  d5f9e1fb-d518-4efe-86d7-250787a2a1a7
ac:                    mobile
channel:               googleplay
aid:                   1233
app_name:              musical_ly
...

Followed by the install conversion event for AppsFlyer, the contents of which are just a raw hex dump I’m not sure what to do with.

POST https://conversions.appsflyer.com/api/v6.4/androidevent?app_id=com.zhiliaoapp.musically&buildnumber=6.4.0 HTTP/1.1

0000000000 b9 ce ac 61 47 19 b4 f7 4f e0 2e 56 6f 9c 0b 82   ...aG...O..Vo...
0000000010 3f 72 47 4f 50 f4 14 6e 46 f6 d6 82 37 6f 55 0a   ?rGOP..nF...7oU.
0000000020 b7 91 d0 93 7f 08 4a fb d5 93 51 cb 23 32 56 52   ......J...Q.#2VR
0000000030 7a b9 f2 49 ac f8 d4 b2 6b 40 bf 7b 52 ed 61 c9   z..I....k@.{R.a.
0000000040 18 07 29 ac 61 37 9b 4c 8a 51 7a 8d 62 3d eb ed   ..).a7.L.Qz.b=..
...

The response from AppsFlyer shortly after correctly identifies me as an organic (I didn’t arrive from an ad) user:

{
    "af_message": "organic install",
    "af_status": "Organic",
    "install_time": "2024-02-02 03:43:50.386"
}

Content & Terms of Service

And now we’re getting to some content, like this still JPEG:


So, now it’s 3 seconds later, and let’s see where we are in the app experience:

{
    "data": {
        "/aweme/v1/compliance/settings/": {
            "body": {
                "about_privacy_policy_url": "https://www.tiktok.com/legal/privacy-policy-row",
                "ad_personality_settings": {
                    "att_status": 255,
                    "is_follow_sys_config": false,
                    "is_np_user": 1,
                    "is_show_settings": false,
                    "limit_ad_tracking": false,
                    "mode": 0,
                    "need_pop_up": false,
                    "pa_revising_switch": false,
                    "pers_ad_data_received_partner_mode": 0,
                    "pers_ad_show_data_received_partner": false,
                    "pers_ad_show_third_party_networks": false,
                    "pers_ad_third_party_networks_mode": 0,
                    "unified_mode": 0
                },
                "age_gate_info": {
                    "age_gate_action": 0,
                    "age_gate_post_action": 0,
                    "register_age_gate_action": 0
                },
                "cmpl_enc": "UNKNOWN",
                "commercial_content_library_url": "https://www.tiktok.com/adlibrary",
                "device_limit_register_expired": true,
                "extra": {
                    "fatal_item_ids": [],
                    "logid": "20240202034347AC84497362B5DDABA59B",
                    "now": 1706845428000
                },
                "idfa_popup_allow": false,
                "interface_control_settings": "{\"rules\":null,\"use_new_control\":true,\"user_type\":\"-1\",\"version\":\"11\"}",
                "log_pb": {
                    "impr_id": "20240202034347AC84497362B5DDABA59B"
                },
                "parental_guardian_name": "Family Pairing",
                "policy_info_list": [
                    {
                        "policy_key": "privacy-policy",
                        "policy_url": "https://www.tiktok.com/legal/privacy-policy"
                    },
                    {
                        "policy_key": "terms-of-service",
                        "policy_url": "https://www.tiktok.com/legal/terms-of-service"
                    },
                    {
                        "policy_key": "tiktok-shoutouts-user-terms-of-service",
                        "policy_url": "https://www.tiktok.com/legal/tiktok-shoutouts-user-terms-of-service"
                    },
                    {
                        "policy_key": "cookie-policy",
                        "policy_url": "https://www.tiktok.com/legal/cookie-policy"
                    },
                    {
                        "policy_key": "virtual-items",
                        "policy_url": "https://www.tiktok.com/legal/virtual-items"
                    },
                    {
                        "policy_key": "rewards-policy-eea",
                        "policy_url": "https://www.tiktok.com/legal/rewards-policy-eea"
                    },
                    {
                        "policy_key": "privacy-policy-for-younger-users",
                        "policy_url": "https://www.tiktok.com/legal/privacy-policy-for-younger-users"
                    },
                    {
                        "policy_key": "copyright-policy",
                        "policy_url": "https://www.tiktok.com/legal/copyright-policy"
                    },
                    {
                        "policy_key": "changes-to-personalised-advertising-in-the-eea",
                        "policy_url": "https://www.tiktok.com/legal/changes-to-personalised-advertising-in-the-eea"
                    }
                ],
                "policy_notice_enable": true,
                "status_code": 0,
                "terms_consent_for_register_info_new_users": {
                    "checkbox_agree_all_terms": "Agree to all",
                    "checkbox_privacy_policy": "Consent to the collection and use of personal information (Required)",
                    "checkbox_terms_of_use": "Consent to the Terms of Service (Required)",
                    "checkbox_tr_notification_subtitle": "Get notifications about trending videos and promotions on TikTok. You can review and edit your settings at any time. Not allowing this type of notification does not limit your use of the TikTok service.",
                    "checkbox_tr_notification_title": "Consent to the receipt of trending content and promotional notifications (Optional)",
                    "tiktok_privacy_policy_url": "https://www.tiktok.com/legal/terms-and-conditions-kr?lang=ko-KR",
                    "tiktok_terms_of_use_url": "https://www.tiktok.com/legal/page/row/terms-of-service/ko-KR",
                    "title": "Terms and conditions"
                }
            },
...

Let’s tap agree and see what happens.

POST https://api22-normal-c-useast1a.tiktokv.com/consent/api/record/create/v1?...

entity_keys:   conditions-policy-device-consent
business_flow: consent_box
status:        1

And an updated set of compliance, similar to the one from above.

GET https://api22-normal-c-useast1a.tiktokv.com/aweme/v1/compliance/settings/?teen_mode_status=0&ftc_child_mode=-1&is_new_user=0
...

RESPONSE:
{
    "about_privacy_policy_url": "https://www.tiktok.com/legal/privacy-policy-row",
    "ad_personality_settings": {
        "ad_free_subscription": {
            "subscription_mode": 0
        },
        "att_status": 255,
        "description": "With this setting, the ads you see on TikTok can be more tailored to your interests based on data that advertising partners share with us about your activity on their apps and websites.\nYou will always see ads on TikTok based on what you do on TikTok or other data described in our privacy policy.",
        "disable_att_overwrite_pa": 1,
        "enable_toggle_decoupling": true,
        "is_follow_sys_config": false,
        "is_new_user": 1,
        "is_np_user": 0,
        "is_show_3p_data_control": false,
        "is_show_reset_entry": false,
        "is_show_settings": true,
        "is_teenager_mode": 0,
        "limit_ad_tracking": false,
        "mode": 1,
        "need_pop_up": false,
        "pa_revising_switch": false,
        "pers_ad_data_received_partner_mode": 0,
        "pers_ad_main_mode_title": "Using Off-TikTok activity for ad targeting",
        "pers_ad_show_data_received_partner": false,
        "pers_ad_show_interest_label": true,
        "pers_ad_show_third_part_measurement": false,
        "pers_ad_show_third_party_networks": false,
        "pers_ad_third_party_networks_mode": 0,
        "show_advertiser_settings": true,
        "unified_mode": 0,
        "use_new_interests": 1
    },
    "age_gate_info": {
        "age_gate_action": 0,
        "age_gate_post_action": 0,
        "register_age_gate_action": 2
    },

After Terms Of Service: And we’re off!

The app shows the video stream and the API requests are flying back and forth now, many a second, so there’s lots more to look at next time. Overall the data seems pretty standard with a few interesting things to look into like the still encrypted data, the connected services and of course, everything after you agree to those Terms of Service.