I de-compiled TikTok ("com.zhiliaoapp.musically" v33.3.3 from Feb 2nd, 2024) from ApkPure.net and noticed that the way it called AppsFlyer looked a bit different than what I expected and quickly led me to a GitHub issue which makes it seem like they are using an outdated way to collect install information from Google Play which may have security vulnerabilities. Particularly, could a malicious app use this to 'steal' TikTok install attributions?

In this setup you see that TikTok is using a receiver com.appsflyer.SingleInstallBroadcastReceiver to listen for the com.android.vending.INSTALL_REFERRER event. This might allow a malicious app to listen for for the INSTALL_REFERRER event. You can see this is not recommended by AppsFlyer in this GitHub issue and is not their recommended installation setup.

<application>
 <receiver android:exported="true" android:name="com.appsflyer.MultipleInstallBroadcastReceiver">
            <intent-filter>
                <action android:name="com.android.vending.INSTALL_REFERRER"/>
            </intent-filter>
    </receiver>
    <receiver android:exported="true" android:name="com.appsflyer.SingleInstallBroadcastReceiver">
            <intent-filter>
                <action android:name="com.android.vending.INSTALL_REFERRER"/>
            </intent-filter>
    </receiver>
</application>

This might allow a malicious app to listen for for the INSTALL_REFERRER event. You can see this is not recommended by AppsFlyer in this GitHub issue and is not their recommended installation setup.

This is the standard way that the AppsFlyer setup will be implemented, which in turn will use the

 <queries>
        <intent>
            <action android:name="com.appsflyer.referrer.INSTALL_PROVIDER"/>
        </intent>
   </queries>

I think the potential here might that if this version of TikTok is leaking the INSTALL_REFERRER data then

• It could provide a malicious app valuable information in attempting to steal information about the source of TikTok's users.
• Additionally, a malicious app might be able to perform click jacking given that they know some information about the source of the install very early on.
• And finally since the INSTALL_REFERRER is broadly scoped the malicious app could then send the a false INSTALL_REFERRER which TikTok may not be able to validate.

I also posted this to my blog.