An IT security company has examined the video app TikTok for its data protection. The result: TikTok collects data from all apps installed on the phone. In addition, the app seems to repeatedly connect to a server in China.

This is not the first time that the popular video app TikTok has come under fire for privacy investigations. An analysis by a U.S.-Australian IT security center has now put the platform, operated by Chinese company ByteDance, back in the spotlight.

Internet2.0 has published a report showing that TikTok only places a secondary priority on data protection. In addition, it seems that the app repeatedly establishes a connection to Chinese servers surreptitiously.

Privacy is written small at TikTok

The report of the IT company is a technical analysis of the source code of the TikTok mobile applications on the operating systems Android 25.1.3 as well as iOS 25.1.1. The investigations focused on the collection of device data. And this is particularly noticeable among iPhone users.

Permissions and the collection of device data are overly intrusive, the report says. It’s not necessary for the app to function, it says. For example, the video app accesses the smartphone’s location, as well as the calendar and all contacts. In addition, TikTok also retrieves device information, such as the device’s serial number, SIM serial number or even MAC address.

The app retrieves all other running as well as installed applications on the phone, according to the analysis. Theoretically, this information could create a realistic diagram of a smartphone.

What is particularly eye-catching about this is that TikTok accesses all of the user device’s accounts in the background. In the process, the app also has access to reading the clipboard, according to the Internet2.0 investigation. This is particularly dangerous because the password manager also accesses it.

TikTok secretly establishes connection to China

In addition to the disregard for data protection in general, the IT specialists also noticed that TikTok apparently uses the operating system of iPhone users to establish a server connection to mainland China.

TikTok has explicitly stated that the data of users of the video app is stored in the USA and Singapore. In addition, the application has no connection to ByteDance’s Beijing-based division. However, during the investigation, the Internet2.0 team discovered that the iOS application’s subdomains are being resolved all over the world, including in Baishan, China.

During the analysis, we could not determine the purpose of the China server connection or where the user data is stored with great certainty.

However, the team was able to observe that the IP address leading to China changed its location regularly. The connection to Baishan was visible across a number of different IP addresses during the course of the investigation. Interestingly, Baishan is home to the Guizhou Baishan Cloud Technology cybersecurity company, which operates a joint data lab in collaboration with the local university.

According to Internet2.0’s analysis, only iOS versions of TikTok showed these server connections to mainland China. In the Android version of the platform, the IT specialists could not detect any direct connections with a Chinese server.

TikTok denies connection to Chinese servers

The report concludes that for TikTok to function properly, most access and device data collection is not necessary. Thus, the investigation team concludes that the only reason for collecting the data is to collect it. Ultimately, this is not only interesting for users, but also for politicians.

This report is intended to help policymakers and lawmakers make fact-based decisions.

Former U.S. President Donald Trump had already tried to enact a TikTok ban during his time in office. He cited security concerns and potential Chinese espionage operations as the reason. However, current President Joe Biden rescinded the ban order.

According to Der Spiegel, TikTok disagrees with the report’s findings. The IP addresses would be located in Singapore and the network traffic does not leave the region. It is clearly untrue that there is communication to China, he said.