A detailed analysis and decompiling of the app’s source code by The Quint, has revealed that Mitron, which has ridden high on an anti-China and anti-TikTok sentiment, has, in fact, been rebranded from an app called TicTic, developed by a Pakistan-based company QBoxus.
Launched on 11 April, the credit for developing the app was given to Shivank Agarwal, a student at IIT Roorkee. Mitron is a short video-making application that allows users to upload short videos of up to 15 seconds.
It has now emerged that Agarwal has not developed the app himself, as previously claimed in various media reports, but has purchased TicTic’s code and simply rebranded it.
A perusal of the decompiled source codes of the two apps has revealed that several strings with TicTic have been left as it is.
For example, “com.dinosoftlabs.tictic>>Main_Menu>>MainMenuFragment” as seen in the Mitron’s code still contains ‘tictic’.Moreover, “com.dinosoftlabs.tictic” is the Android package name and Google Play Store ID for the app published by Qboxus.
QBoxus has put the source code of its micro-video sharing app on sale on Code Canyon, a site where one can purchase pre-built sites, scripts, plugins applications and even themes.
The source code is on sale for $34 or approximately Rs 2,570. Mitron, however, may not even be the sole purchaser. The Tic Tic application source code has been sold 274 times, according to the Code Canyon website.
Mitron’s Identical Source Code
An initial glance at both applications does indicate that certain features might be similar, but that could perhaps be written-off as both of them attempting to emulate the Tik Tok user experience.
What cannot be written-off as an attempt to emulate the Tik Tok user experience, however, is what decompiling the source code of both applications reveals.
Both applications share almost exactly the same libraries, as well as several functions named in a completely identical manner.
Below, one can see TicTic app’s code, followed by a screenshot of Mitron App’s code.
What Pakistani QBoxus Has To Say
Speaking with The Quint, Irfan Sheikh, founder and CEO, QBoxus said “the app has been purchased on 1 April 2020 for a price of $34.”
The company said they have the Code Canyon generated invoice as well, but declined to share sharing it would amount to a breach of client-customer privacy. “The developer just changed the package name, brand name, splash screen, and some strings, and boom, here we have the new Indian-made app - Mitron,” the Sheikh said.
QBoxus has, however, clarified that there is no problem with what Mitron’s developer has done and no wrong in the procedure to launch the app.
“Well, there is no problem with what the developer has done. He paid for it and got the script which is okay. But the problem is with people and Media referring to as Indian made app which is not the truth.”Irfan Sheikh, Founder & CEO, QBoxus
The Pakistani company has raised two specific issues:
- The real author of the app to be acknowledged and credited instead of attributing Shivank Agarwal as the creator of the app.
- The absence of any original modifications to the purchased code. “The worst thing is that the developer even didn't bother to fix bugs and issues in the app and directly uploaded it on Play Store, which is really a shame,” he added.
The Quint has reached out to Mitron App for comments on the claims made by QBoxus along with details the publication has found. The story will be updated once Mitron responds.
Identical Login Screen
The login screen for both apps shares an identical schema as well. Both can be seen using “action_login.xml”
TicTic Strings Left Behind in Mitron’s Code
Further, a ‘change_log’ file present in the decompiled Mitron source code contains the string “com.dinosoftlabs.tictic” – which is the package name of the TicTic application developed and released by QBoxus.
However, there are some minor differences to be noted in the User Interface (UI).
The splash screen which welcomes the user to the app differs visually across both. Further, Mitron does not currently allow users to log in via Facebook, whereas TicTic does.
Apart from this, the application programming interface (API) for both applications are completely identical, which alone allows one to fully ascertain the claim that Mitron is indeed only a re-skinned iteration of TicTic.
TicTic’s Security Flaw Also In Mitron
Regardless, while re-skinned applications are not an entirely new phenomenon, they come with their own drawbacks.
For instance, a vulnerability that exists in the original codebase is likely to propagate to all other instances of the application and remain unfixed in each and every one of them.
This is also the case for TicTic and Mitron, as both applications share a common security flaw in the way through which the ‘follow account’ action is handled.
The flaw can allow a malicious actor to force other users to follow any given account, simply by tampering with a few parameters on the ‘follow user’ request.
Mitron Has A Different Backend Though
Although it would be correct to state that both applications share the same code base, it should be clarified that this does not mean the same backend is shared among both applications.
The Mitron app’s server and API are located on shopkiller.in, whereas the TicTic application communicates with bringthings.com. This means that both user data as well as uploaded videos for Mitron are stored on a separate server (an Amazon Web Services S3 instance to be specific) in contrast to TicTic.
This particular application was able to blur the lines between an individually developed platform versus a generic rip-off.
This is made evident by the number of people who have so far downloaded and installed the application (a number which is resting at 5 million at the time of publication).
In the context of Mitron, it’s meteoric rise in popularity can probably be attributed to it being touted as an “Indian version” of Tik Tok.
(Karan Saini is a security researcher and technologist from New Delhi, India. He works as a product support engineer with Bengaluru-based HasGeek.)