The Spread of ByteDance Code Beyond the TikTok App

In this blog, we focus on the spread of code written by the creators of TikTok throughout App Stores.

With over a billion downloads on Google Play Store alone and consistently near the top of app rankings on both Apple and Google platforms, TikTok has been under scrutiny for its privacy and security risks. This is a cause for significant concern, as the app’s large user base means any such risks could impact a massive portion of the US and global populations. In this iteration of our blog, we will focus on the spread of code written by the creators of TikTok throughout the App Stores. If you haven’t seen the first few blogs in this series be sure to check them out!

Part 3: ByteDance SDKs

Lots of attention has been placed on the TikTok app individually but it is not the only software the developers of TikTok, a company named ByteDance, have published. They have other apps available in the store like CapCut and Lemon8 but they also provide code to other developers through Software Development Kits (SDKs). These SDKs increase the reach of ByteDance beyond the apps they develop themselves and into many other apps in the store. In today’s analysis we are looking at just how large the spread of these ByteDance SDKs is to provide you with the information needed to decide if banning only one of their apps will have a material impact in their influence across Android & iOS platforms.

In order to understand the analysis that was done we need to set the stage, what is an SDK? Publicly available SDKs play a crucial role in the creation of Android and iOS apps by extending the functionality of apps at speed and scale. They provide pre-built components, tools, and APIs that developers can integrate into their apps, saving time and effort compared to coding from scratch. For example, SDKs like Google Maps SDK, Firebase SDK, and Facebook SDK offer ready-to-use modules for integrating maps, analytics, social media integration, and other features into the app. Developers can simply incorporate these SDKs into their projects and leverage their functionalities, enhancing the user experience and speeding up development.

There has been some analysis released on this same question by others in the industry but none that we are aware of that published clear methodology and explained usage of solid traceable evidence as the backbone of the analysis. Our goal here is to fill this gap in the conversation and give readers some insight into hard numbers and a clear methodology to back them up.

To that end, we have searched across a set of over 10,000 Android applications in our app security database to look for direct references to SDKs with the com.bytedance Group ID, these SDKs can be seen on Maven here. This database is created in our normal line of business where we track tens of thousands of applications from both the Android & iOS stores and scan them through a series of automated security and privacy analysis engines. The output of these engines includes the security risks, as we discussed in the last blog, as well as a wealth of additional information including the decompiled codebases of the applications. By leveraging this dataset we are able to find out which apps have ByteDance code in them with high confidence. We did not specify any parameters to narrow down this data set other than recency of the app scan in order to not taint the results by constraining the search to a specific set of apps. The high level findings for the analysis can be seen below.

statistics of Bytedance downloads

A little over 3% of the applications included at least one ByteDance SDK and these apps collectively had over 3.6 Billion downloads between them. The numbers here are pretty staggering. Even in a relatively small sample size of about 10,000 apps, there are over 3.5 Million apps in the Google Play Store, the spread of ByteDance code is massive. TikTok itself has over 1 Billion downloads but ByteDance code through their SDKs may have 10x or 100x the number of downloads in total. In addition we found that the ByteDance SDKs were primarily focused in one category of apps with Games creating about 77% of the total. The other 23% spread across many other categories, you can see the other top categories below.

category breakdown bar graph for Bytedance

With this information in mind let’s revisit the original question, does banning TikTok alone have a material impact on the reach that ByteDance has across our Android & iOS devices? Make the determination yourself and let us know where you fall.

Thanks for reading, if you’re interested in finding out more about how we operationalize this capability for our customers, reach out to us.

More blogs from our TikTok series can be found below:

Mobile security that makes you smile.

Sign up for our newsletter, The Quokka Intel Briefing

Copyright © 2024, Quokka. All rights reserved.