Trump vs. China. Can TikTok and WeChat really be banned from US based Android devices?

Legal questions aside, let's explore the technical possibilities.

Let’s be very clear here. I am not a fan of TikTok. I had the misfortune of coming across it when it was still called Musically and I had to explain to a little girl that she, unlike her friends, was not allowed to dance for strangers. That ruined an otherwise perfect evening.

I’m also not a fan of Donald Trump(et). It’s safe to assume that he threatens to shut down TikTok for all the wrong reasons, but if he manages to pull through, it will be a benefit for mankind. So, is it actually technically possible to get TikTok and WeChat banned in the US?

Removing apps from Google Play

Story time (you can skip ahead two paragraphs for an obvious revelation)!

I once wrote a pretty silly slot machine game for Android. It was as a coding exercise and failed in pretty much every aspect except being recognized for what it actually wasn’t: a real gambling app.

Pocket Bandit: pretty (, colorful,) boring
All you could do was to bet one to three coins, then pull the lever and watch the reels spin. You started with a fixed amount of credit and the laws of probability dictated that you’d eventually go bankrupt. Once that happened, you could simply restarted the “game” and had a full purse again. No wait x hours or pay $$$ to continue playing bullshit. No way of winning anything either. In other words: the most boring one-armed bandit ever. Not even suitable for detoxing a gambling addict. I had somehow managed to put in all the mechanics of a classical slot machine except the one (winning/loosing) that was responsible for producing the excitement.

Well, there’s no rule that states, you can’t publish rubbish on Google Play. Much to my surprise though, there is a rule that says, you can’t publish gambling apps in some Arab countries without governmental approval. So, one fateful morning, I received a mail from Google telling me that my app had been pulled from Play in those countries. I was pissed. Not because the world needed my app. Not because some Arabs were now deprived of the most dull entertainment, only I could provide. I was pissed because someone had obviously only spent the time of looking at the screenshots to determine that this was a gambling app, but hadn’t bothered to reason how you were suppose to spend (real) money in an app that doesn’t even request network permission. It felt unjustified. Like a downvote driven in with the banhammer. Someone with the attention span of a puppy had the power of Thor.

There was no point in appealing. After all, the game was crap, but the incident was a nice reminder on how fragile businesses, build on apps are. Somewhere, someone with too little time to be thorough can simply nuke them without prior warning. Needless to say, that in time, the same kind of sloppiness resulted in more of my apps being pulled …

So, what’s the take away from my story?

Geo fencing has always been a core feature of Play and Google never really went out of its way to stand up for developers. Sure, my apps are small fries compared to behemoths like TikTok, but then again, they aren’t direct competitors to youtube either. Let’s keep that in mind in case anyone has high hopes for Google putting up a fight.

What about sideloading?

Who needs Play anyway? Android is not IOS, we can simply download the APK off the web and install it ourselves, right? Eh well, no. It’s not that simple. Bytedance swallowed Google’s Cool Aid and switched to App Bundles/Dynamic Delivery in order to reduce the size of their app. So instead of a single, one size fits all APK, you get a bunch of individual files. In case of TikTok v17.6.3 and depending on your device, the list might look like this:

  • com.zhiliaoapp.musically-2021706030.apk
  • com.zhiliaoapp.musically-2021706030_config.armeabi_v7a.apk
  • com.zhiliaoapp.musically-2021706030_config.en.apk
  • com.zhiliaoapp.musically-2021706030_config.xhdpi.apk
  • com.zhiliaoapp.musically-2021706030_df_creationtool_so.apk
  • com.zhiliaoapp.musically-2021706030_df_creationtool_so.config.armeabi_v7a.apk
  • com.zhiliaoapp.musically-2021706030_df_fusing.apk
  • com.zhiliaoapp.musically-2021706030_df_photomovie.apk

Split APKs cannot be sideloaded (easily). On plain Android, there’s simply no user interface for telling the packagemanager that you want it to install an app from several connected files (after all, making sideloading difficult was/is the whole idea behind App Bundles). You need extra tools (e.g. ADB) for that. But let’s be brutally honest here, if you are in the target audience of TikTok, then you are probably missing a brain cell or two (out of a total of two) and won’t be able to use them.

Fun fact App Bundles have a build in security flaw. Traditional APKs cannot be modified by the Playstore. App Bundles can. For rogue government agencies, this provides the option of pushing hacked app updates to selected individuals. For that reason, no app in the "communications" category should ever use App Bundles as a distribution format. Imagine that! Coincidentally, Trump was actually right when calling TikTok a security issue. Cheers ByteDance!

So, why doesn’t ByteDance simply host a traditional APK on the TikTok website then?

Two reasons actually

  1. Self hosting your app means, people will download the self hosted version (duh!), even if they could get it from the Playstore. As a result, the Playstore version sees less downloads, less reviews and less ratings which may eventually lead to it spiraling down in the rankings (ever wondered why all youtubers end their videos with the magic mantra “like and subscribe, hit the bell and give me a thumbs up”? Same mechanic there). This, by the way was the leverage, Google used to monopolize the app store market on Android: you are free to host elsewhere, but if your competitors solely host with us, they will eventually outrank you.
  2. ByteDance not only drank the Google Cool aid, but also coughed it up and swallowed it again. Part of their revenue is in-app purchases. Those don’t work with sideloaded APKs. They could, of course, implement their own IAP, but that’s something Epic tried with Fortnite recently…

Removing existing TikTok installations from devices

Buckle up, this may come as a surprise or as a confirmation of your fears!

Did you ever notice the big green “install” button on the Google Play website? With it, you can conveniently browse the store on your PC and send apps to your phone for installation.

Screencap: The install button on the Play website is sort off a remnant from the old days when 320x480 screens where the norm and you'd rather browse the androidmarket (as it was called back then) on your PC.

This is done via “Push messages”. Which is just a modern way of saying that your phone wakes up every couple of minutes in order to waste battery and bandwidth on checking if there are any new ads you should see. It also checks if there are any app updates or pending installs (from the green button) while it is at it, just so you have a reason not to disable the spy playstore app when you don’t need it. The relevant message structure looks like this:

message Notification {
  optional int32 notificationType = 1;
  optional int64 timestamp = 3;
  optional Docid docid = 4;
  optional string docTitle = 5;
  optional string userEmail = 6;
  optional AndroidAppNotificationData appData = 7;
  optional AndroidAppDeliveryData appDeliveryData = 8;
  optional PurchaseRemovalData purchaseRemovalData = 9;
  optional UserNotificationData userNotificationData = 10;
  //optional InAppNotificationData inAppNotificationData = 11;
  //optional PurchaseDeclinedData purchaseDeclinedData = 12;
  optional string notificationId = 13;
  optional LibraryUpdate libraryUpdate = 14;
  optional LibraryDirtyData libraryDirtyData = 15;
}

message AndroidAppDeliveryData {
  optional int64 downloadSize = 1;
  optional string signature = 2;
  optional string downloadUrl = 3;
  repeated AppFileMetadata additionalFile = 4;
  repeated HttpCookie downloadAuthCookie = 5;
  optional bool forwardLocked = 6;
  optional int64 refundTimeout = 7;
  optional bool serverInitiated = 8;
  optional int64 postInstallRefundWindowMillis = 9;
  optional bool immediateStartNeeded = 10;
  optional AndroidAppPatchData patchData = 11;
  optional EncryptionParams encryptionParams = 12;
  optional string gzippedDownloadUrl = 13;
  optional int64 gzippedDownloadSize = 14;
  repeated SplitDeliveryData splitDeliveryData = 15;
  optional int32 installLocation = 16;
}

message PurchaseRemovalData {
  optional bool malicious = 1;
}

A request to delete an app from a device looks like this:

notificationType: 2
docid {
  backendDocId: "com.zhiliaoapp.musically"
}
purchaseRemovalData {
  malicious: true
}

Note that the malicious flag is purely cosmetic. The only thing Play has to send is the package name of the app and the notificationType 2. The app gets deleted, even if it wasn’t installed via Play.

Blocking TikTok in the USA

Let’s say you are an existing TikTok user and a US citizen. Let’s say, after reading the above, you disable the Playstore client, so Google can’t delete apps from your phone. What are they going to do then? Tell your ISP to firewall the TikTok servers (I heard, China has the tech for that. Maybe they’ll share…)? Well, curiously, there’s a much simpler solution. Did I already mention that ByteDance drank the Google Coolaid to the last drip? Let’s use an apk downloader to request the Google Playstore entry for the TikTok app. Here’s an excerpt:

"dependency": [{
          "packageName": "com.google.android.gms",
          "minVersionCode": 12451000,
          "skipPermissions": true,
          "deferredInstallAllowed": false
        }]

The com.google.android.gmspackage is Google Play services, a client/server framework that primarily exists to tie apps deep into the Google ecosystem. Yep, that’s right ByteDance not only put all their marketing efforts into creating a mobile only platform, they also made it inherently depend on systems operated by Google. Google not only has them by the balls, but also put the balls under lock and key as well and wrote “punish me” in big friendly letters on them.

Blocking TikTok in the US can simply be done by closing/restricting the associated Google Cloud account. And since the app is blocked on the store, TikTok can’t even supply existing US users with an update that works without Playservices. See why Trump threatens to block the app download first and total shutdown half a month later?

Conclusion

Technically, it is impossible to keep everyone in the US off TikTok/WeChat. Simply VPN to Europe and you are (with considerable lag) good to go again. However, that’s for nerds. TikTok is for idiots. Keep the later off the platform (for a few weeks) and the social network collapses. Mission accomplished!