TikTok DMCAs Tens of GitHub Repositories Storing Reverse-Engineered Source Code

Published on January 18, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

It’s been nine months since Reddit user “bangorlol” shared his discoveries about how TikTok operates, having successfully reverse-engineered its source code. The world was somewhat shocked by the revelations about user data collection that characterizes the TikTok app, and the Trump administration declared war against the Chinese project calling it a threat to national security. Now, this source code has leaked to a lot more people, and several are further dissipating it by posting it on GitHub repositories, creating a multi-level problem for TikTok.

The source code concerns the Android app of the social media platform, and it shows how location tracking works and how phone calls, WiFi networks, and facial recognition data logging happens. According to Torrent Freak, at least 19 repositories on GitHub hosted the forked source code and were handed DMCA takedown notices from TikTok’s legal team.

In all cases, GitHub complied and took them down. Then a set of five new repos appeared containing the app’s source code again, and TikTok returned with the second wave of DMCAs taking those down promptly.

The legality of reverse engineering proprietary software projects like TikTok’s Android app is a complex matter, and whether one is permitted to do it or not depends on a lot of things. For example, the means of the reverse engineering process, how close the reproduced results are compared to the license holder’s actual code, what copyright or trade laws apply in the country of the court that’s called to decide on a case of this kind, and many more. Of course, GitHub is no court, and the code hosting platform decided to just comply with TikTok’s requests and not over-analyze the situation.

EFF has a detailed post on what could put the reverse engineer in trouble and what the biggest risks to avoid are. Also, there are five legal cases that involve big software and hardware makers like Atari, Nintendo, Compaq, Sega, Blizzard, and Sony, so it is worth a read if you’re interested in the topic. In general, courts have historically focused on functionality similarities, not as much the code itself, and try to determine if the defendant’s project is an independent creation or an unauthorized copy, and up to what percentage/level.

Back to TikTok, no matter the revelations that came out last summer and the sheer amount of warnings against using it, the Android app counts around a billion monthly users and around 100 million in the United States.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: