Penetrum, LLC ​ Security analysis of Triller v6.0.25-v14, iOS and Android 10/02/2020

Introduction:

Triller is an application, with a similarity to “TikTok”,' that has recently confirmed that it currently has around 65,000,000 active users, a 500% increase in activity between 2018 and 2019, and an extreme unwillingness to compare itself to TikTok itself. Some facts about Triller are as follows;

● As of September 10th, 2020 Triller has been downloaded around 3,578,953 times in the past 30 days, hitting the 353th spot on Apple’s app store for daily ranking. ● The growth of Trillers downloads has increased by 92.61% in the past 30 days. ● Triller is ranked 269,837 among global website traffic

(https://influencermarketinghub.com/triller-stats/) ​ ​

All of this is great news for the application and great news for it’s overwhelming growth and steady influx of users. However, we were curious as to how Triller was handling this influx. Penetrum LLC’s research team decided to find out. We set out with a clear goal to answer the following questions:

1. How secure is Triller itself, as an application and as an entity? 2. Is Triller anything like TikTok on the data collection side of things, and what data is it collecting from it’s users? 3. Are there any issues in the source code of the mobile application? 4. How alike are Triller and TikTok, and is one of the applications more secure than the other?

We started this research only expecting it to last a couple weeks. We sent an email to the Triller team explaining what we would be doing and how we would be doing it:

To whom it may concern,

Hello, my name is [REDACTED]. I am the Research Lead of Penetrum LLC. You may know us from our TikTok research that was enough to allow the US government to look further into the application. Earlier this week, we decided that we will be researching the application Triller. What we will do is the following;

- Reverse engineer the application from the first released version to the current newest version.

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 1 - Perform comprehensive analysis on the application including reading through the privacy policy and looking for what stands out. - Perform full code analysis on the application. - Try to discover exploits within the Triller application code (we will not exploit any potential exploit vectors found) - If we find any exploits, we will contact you with a proof of concept along with full disclosure of what was found. - If any exploits are discovered we will also provide you a week long window to perform analysis and fix anything found - A whitepaper will be written for the analysis and all information we discover will be released publicly on our website at https://penetrum.com/research ​

We will begin working on this on Friday September 18th, 2020, this will most likely last a week unless any unforeseen issues arise, we will conclude our whitepaper on Friday September 25th, 2020. If you have any questions or would like to further discuss what we will do and how we will do it, you may contact me via this email ([email protected]) or you may call us anytime at 703-268-4350.

During our analysis some unforeseen issues came up and we were forced to put the analysis on hold, which is the reason why we are writing this and releasing it at this time (almost 3 weeks later). With our analysis complete and with Triller being run under both Android and iOS analysis, we are finally able to write about what we discovered from the application, Triller.

Our analysis was done with an Android Samsung Galaxy 7 emulator with Android kernel version 8.0, and an Apple iPhone 7 iOS version 13.5.1, more specific information about the phone can be seen in the images below:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 2

We used the Android emulator to perform dynamic analysis on multiple APK’s and used the iPhone to grab HTTP/S requests to the server.

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 3 Overview:

● Data Collection ○ In every version of the application, when sent through an analysis engine, the application is flagged as spyware ○ Data is partially, if not fully, stored outside of the United States ○ The application collects data pertaining to the end users SIM card (service provider), contacts, location, and more ○ The application is constantly tracking exact location down to the longitude and latitude of the end user ○ The application is tracking every action performed by the user within the application and sent to a “record” endpoint in the API ● Code Review ○ The application has webview debugging enabled, as well as javascript enabled within webviews ○ There is poor coding practice with hardcoded API keys, hardcoded API endpoints, and more ● Issues in API ○ There are potential exploit vectors inside of the API that can lead to a gateway timeout ○ It is easy, reliable, and quick to enumerate users of the application and potentially grab everything from email addresses to usernames on other platforms

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 4

Data Collection:

During our analysis we used multiple engines to determine a threat score. Then, we use our own proprietary software to make our own threat score. From there, we take into account what the different analysis engines say and make a decision from there as a team on what score we will give the application. During the analysis of Triller, no matter how many times we ran the application’s versions through the sandboxes, they all produced the same results:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 5 Triller is flagged as spyware from versions 6.0.25 to the most current version. The definition of spyware is;

“software with malicious behavior that aims to gather information about a person or organization and send as much information to another entity in a way that harms the user” - https://en.wikipedia.org/wiki/Spyware

During our analysis, we were able to determine that Triller is collecting a significant amount of data from their users (shocking right?). Everything from information about the users phone, to continuous information about where the user is located. The Triller application will alert the user at the very first login telling the user that they collect data:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 6 What the Triller application is not telling it’s users is where their data is going. In Triller’s privacy policy it states that;

What Triller seems to be lacking is exactly where the data is sent and collected. During analysis we were able to find 83 unique IP addresses that the Triller application will connect to, some of which are located outside of the United States;

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 7

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 8

This leaves us with a grand total of 8/83 or 9.63% of the IP address requested being sent to countries outside of the US. As you can see above there is an IP with “squalk” in the domain. Squalk is a chat application that boasts about being secure and not storing information about it’s users (https://squalk.zone). Penetrum contacted Squalk in an attempt to gain a better ​ ​ understanding of what they are doing and ask some questions regarding their security measures as well as their data storage:

Hi, my name is [REDACTED].

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 9

I am the Research Lead of Penetrum LLC. You might know us as the company that provided the information that caused Tiktok to get looked at by the US government. Today I am contacting you because I am currently researching an application that uses your chat application as their own. I just had some questions for you about your encryption standards, and some other information that will help with my research. You are under no obligation to answer my questions, but it would save me a lot of time researching if you were able to.

- I saw that you use AES256, what mode are you using with this cipher? - I also saw that it says you delete the messages off of your system and was wondering how you prevent forensic analysis of the messages from your system? - How are the messages deleted off your servers every minute if they still show up in the application GUI, are they stored in cache? - If so is the cache encrypted on the users phone? - If no information is stored on your servers how do users login? - Have you ever had any data breaches that you are aware of?

Thank you for taking the time to read through my email and I look forward to hearing from you soon,

- [REDACTED]

Unfortunately for us, Squalk did not reply to our email so we were forced to run it through a static analysis in order to determine what information is sent back to the servers. Turns out, they save a lot of information about their users as well.

We did not proceed any further with the analysis of Squalk, and did the above analysis in order to be able to make an educated guess on what information they store, and what information Triller is sending through them. It is within reason for us to say that they store some sort of chat logs on servers outside of the United States along with information about the device that is

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 10 being used and where it is being used from (you can discover more information about Squalk and what analysis was performed at https://penetrum.com/research). Given this information it is ​ ​ apparent that device data, and user data is stored outside of the United States by the Triller application, however, the data seems to be stored in a location that has strong privacy policies for it’s end users.

The data that Triller collects is significant in the opinion of Penetrum’s research team. As mentioned earlier, everything from the user’s phone to continuous collection of the users location is sent to Triller’s API. Most of the information collected can be summed up in the following image;

There are many other interesting data collection aspects of Triller including reading the contacts, and counting how many updates have been done on the application itself:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 11

During our analysis, we were able to intercept HTTP/S requests on an iOS device and analyze them. We were very concerned with the amount of data being sent on regularly scheduled intervals.

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 12

Along with this every action the user takes is recorded by the API, along with some disturbingly accurate location data that is updated continuously:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 13

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 14

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 15

Inside of the Triller application, there is a switch to turn off data collection as well as turn on data collection, we decided to perform analysis on both, 3 hours with data collection on, 3 hours with data collection off. We determined that the data collection switch made little to no difference. Data was still collected and sent all over the place to multiple areas, information was still processed through the application, and recording by Triller’s API was still done on every action the end user took. This provided us with the idea to perform a static difference analysis on Triller and TikTok to determine the differences between what information both applications are collecting:

Per usual, TikTok’s obfuscation was too extreme for the analysis engine to handle. We were still able to extract a lot of collection information from TikTok, a lot of information on debugging evasion, as well as disassembly evasion.

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 16

The above picture is labeled as “Common”, “only in TikTok”, and “only in Triller”, it is the difference of the API actions called on the end users phone. As we can tell the difference between the two applications is less than significant, most of the information collected is basically the same as TikTok, collecting everything from the SIM provider, to the network information. This leads us to believe that Triller is collecting just as much information as any of it’s leading competitors. The obfuscation techniques taken by Triller are just as bad:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 17 The only difference between the two is that TikTok uses an obfuscator, while Triller does not. With the given information we have provided we can answer two of the questions we set out to discover.

1. Is Triller anything like TikTok on the data collection side of things, and what data is it collecting from it’s users?

The data collection aspect between Triller and TikTok is the same. It seems the Triller collects more information on the user’s location than TikTok does, but both applications collect a significant amount of data about their users and store partially (if not fully) the information on servers located outside of the United States. Triller allows users to chat using Squalk, but does not take into account the significant impact this choice may have on the end users data privacy. TikTok and Triller are the same thing when it comes to collecting information on their end users. Something that Triller has against TikTok is that they also collect the advertising ID of the user's phone. Both applications are collecting everything from the SIM provider, to the network information being used on the users phone.

2. How alike are Triller and TikTok, and is one of the applications more secure than the other?

Triller and TikTok on the backend may be somewhat different with the following ideals:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 18

(https://medium.com/the-dopamine-effect/triller-vs-tiktok-differences-similarities-and-wh ​ y-you-need-to-know-about-both-526b91f55deb) ​

However, we feel it is safe to assume that Triller and TikTok are both insecure applications. In the end Triller received a score of 12/100 from us and is labeled as a threat while TikTok’s score ​ ​ ended up being a 11/100 and also labeled as a threat. We believe it is safe to assume that ​ ​ neither application is secure enough to collect as much information as they do, and neither application provides a clear understanding of what information they are actually collecting from their end users. The only difference we have seen security wise is that Triller does not send information to countries whose privacy laws allow the government to take any data they want without question.

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 19 Code Review:

Something that Penetrum likes to do is code analysis, this allows us to get a clearer understanding of how the application was put together, provides us with a clearer understanding of the skill level of the developers, as well as how seriously the application we are researching takes security into consideration. We have performed comprehensive analysis on the applications code and all pictures listed are in the newest applications code as well as whatever other version the code sits in.

Penetrum was able to determine that webview debugging was enabled on the application. Webview is a component of an Android application that allows developers to display web applications directly in the application interface. We were also able to determine that the application leaves debugging enabled on webview. According to multiple articles (such as https://dev.to/ashishb/android-security-don-t-leave-webview-debugging-enabled-in-production-5f o9) leaving debugging on in any way is insecure and poor coding practice in production ​ environments. If the device is taken, or someone gets access to the unlocked phone, this can lead to the user’s details being exposed and can even lead to full account takeovers. This has a significant impact on the users privacy and should always be taken seriously:

Triller uses an API endpoint called “TelephonyManager” which is used to:

“provide access to information about the telephony services on the device” - (https://developer.android.com/reference/android/telephony/TelephonyManager) ​ ​

By using this function you are able to access information such as configure the voicemail, and check the network country information of the current device. Triller collects the country information on the device by accessing it via TelephonyManager and returning a string containing the information, as seen below:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 20

An issue that Penetrum has noticed in a lot of mobile applications that we analyze is that developers hardcode API keys within the code. What this means is that they put a string in the code that contains the API key. This is just bad code practice in general that can lead to abuse if a bad actor performs even basic analysis of the application, and can lead to requests being sent to the API as the owner of the application. API keys should always be stored next to the application in a configuration file. As seen below there are multiple API keys, client keys, and client secrets present in the source code of the application:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 21

One important issue we noticed was that Triller is sending user information as clear text. Say that a bad actor manages to get a MITM(man in the middle) attack, this can lead to full account takeovers and will leak the users private information. A MITM attack is when an attacker sits in the middle of the connection and intercepts the traffic sent out of the application, from there the attacker can choose to forward the request to the server, or modify the request and forward it to another server or themselves. Issues like these can have a severe impact on the user base as well as have a multitude of issues for the entity themselves. We feel that this kind of issue should not be present in an application as big as Triller.

We were able to parse through all the code and find the code that is responsible for grabbing all the details of the SIM card. The code below grabs the SIM operator name. This function will return data even if your phone is in airplane mode while the network operator will return data only if your phone has a GSM (Global System for Mobile Communications) network. Grabbing both of these items will provide the requestor with a clear understanding of what the phone is doing, if the phone is on airplane mode, where the phone is located, and it comes complete with the application grabbing the phone type. This provides the developers a realistic fingerprint of the users mobile phone:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 22

The below code is a webview task which enables javascript. If a malicious actor was able to, they could perform XSS (cross site scripting) attacks on the users application by imitating the Triller application web page. A XSS attack happens when a malicious actor injects client side Javascript into the application. This can lead to severe issues for the end user and is a window for attackers to target. A study found that there are two types of attack vectors accessible when Javascript is enabled in Webview. One of which is from a malicious website as mentioned above which will now have access to your contacts, camera, etc. Another of which demonstrated that the application can access a malicious web application, and cause a multitude of issues. The code below shows that webview has Javascript enabled within Triller itself:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 23

Fixing this issue is as simple as ensuring that all URLs that are accessed are within the scope of the application. For example, if Triller needed to access Facebook: if(!url.startsWith("http://www.facebook.com")){ Intent i = new Intent("android,intent.action.VIEW", Uri.parse(url)); startActivity(i);

The above code would only allow anything that starts with Facebook to be accessed.

This is all the API endpoints for Triller hardcoded into the application that anyone can access. This is just poor coding practice and makes it easier for bad actors to enumerate and find attack vectors. Most applications have API endpoints hardcoded into them, but we feel with the size of the the Triller application the endpoints should most likely be stored in a separate configuration file to better suit the security needs of their users:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 24

Even though there are many things that Triller does wrong, they also perform safe OS command execution with no room for any sort of attacks. This is good practice for the application and can prevent a multitude of command injection attacks:

Give what we were able to discover in the source code, we feel that we are able to answer one of the questions we asked ourselves in the beginning:

1. Are there any issues in the source code of the mobile application?

The answer is, yes. There are a multitude of issues in the code that should be addressed immediately by the development team.

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 25 API Issues:

During our analysis, we performed basic analysis on the Triller API. What we found was that we were able to enumerate users as long as we had a token and gather everything from the users email address to their instagram handle. The below image is us using a separate authentication token to access our own profile and pull the information from it:

And the next image is us using the same token to access another profile and pull their instagram handle:

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 26

As you can see, this presents the ability for anyone who is capable and has the knowledge to perform user enumeration on the entire platform. This can provide the ability for attackers to target individuals, be used to blackmail people, and can also be used to perform other unethical assaults on the user base. We feel that this is a very significant issue that should be fixed immeditaly.

During our time with the API we were able to perform a DoS on the application, this DoS is insignificant but is still worth mentioning. By using a specifically crafted payload, we can get the API to return a 504 error which means that the gateway has timed out. Basically, by sending enough requests to this server we can suck up all the server resources and crash it.

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 27 This issue is slightly insignificant and really shouldn't cause that many problems. We are placing it here for the sake of completeness and for the sake of openness. Given the above, we feel we are now able to answer the questions left for us to answer;

2. How secure is Triller itself, as an application and as an entity?

Penetrum’s research team feels that the application Triller is extremely insecure. With multiple code issues, a multitude of potential ways to exploit users, gather intel on users, and perform potential attacks on the backend server, Triller has a long way to go before it is capable of securely handling the max influx of users it has seen. These issues will in the long run cause loss for the company and as an entity the creators of the application should take into consideration everything inside of this whitepaper. In the words of one of our researchers:

“This has to be a joke right?” - Penetrum LLC Researcher

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 28 Conclusion:

Triller is a massive security flaw waiting to happen. We feel that all of the issues combined can cause an extreme problem for the end users of the application and that Triller needs to pay closer attention to code analysis along with paying extremely close attention to user security. There are issues in the code that can allow exploit vectors, XSS (cross site scripting), as well as ways for malicious actors to find targets and even potentially cripple the backend servers. We feel that Triller resembles TikTok in a way that feels like they are almost the same application with a new interface. The only differences that we have found in the analysis are that Triller takes more location data than TikTok does, and Triller stores the data in a different location whose government doesn’t require access to it. We strive to perform the most comprehensive, open, and complete research as possible, and as always everything we found including source code will be available on our website at https://penetrum.com/research. ​ ​ Thank you for reading through our analysis, remember to question everything.

- Penetrum LLC

Penetrum LLC [email protected] +1 (703) 268-4350 https://penetrum.com 29