Here are some lowlights from my reading of TikTok security reports[1] (for the record, you can learn to avoid these in an intro security or privacy class):

[1] https://penetrum.com/research 

The Android developer API states that `ACCESS_FINE_LOCATION` is a "dangerous" permission. Why is this necessary? It's also known that they use a 3rd party, AppsFlyer, to help with monitoring & tracking (but a lot of apps use AppsFlyer, so no need to zone in on TikTok).

How fun, they're also tracking your literal IMEI number of your phone. Penetrum says, "Essentially, it creates an extremely realistic and graphic fingerprint of your phone which can be used to determine everything you have installed."

Use of insecure hashing algorithms (MD5, which NIST deprecated in 2011):

This snippet of code is screaming "SQL injections, come to me!" User inputs are not sanitized, so a clever user can mess up the database.

The scariest part (IMO): WebView (a browser bundled in a mobile app) is liberally used in TikTok. Users can literally unknowingly load malware within the app and this malware can be remotely debugged if it fails. All in real time. Penetrum also notes that SSL errors are ignored.

I blindly copied screenshots from Penetrum's whitepaper, but I hope this motivates you to read it. The TikTok reversing subreddit ( https://www.reddit.com/r/tiktok_reversing/) is also good for the technically interested.

My takeaway: TikTok is malware. Delete the app.