[Fej]

This is a fantastic idea - the only thing missing (that I see) is that Oracle would need to see the source code and verify that the checksum of the apps built from that code matches the downloads from the Google Play Store and App Store.

Otherwise the guarantee that no data is being sent to China is not airtight. Oracle could audit the app every time it gets an update and watch network traffic, but this would miss anything sent by code activated remotely after the fact. It wouldn't work for long, but the US government will look for any reason to deny this deal. I don't think Oracle will audit the app constantly anyway. Come to think of it, that could apply to the source code too, if the malicious code was extremely well hidden.

[rladd]

Right, they will audit the source code but have no IP rights to it, is my guess.

Also they will probably take over responsibility for the Play and App Store accounts and be responsible for pushing the new versions (after audit).

[PeterStuer]

How would they shuttle out that much traffic undetected?

[dcolkitt]

It is a video app. Couldn't you embed the embargoed data into the media content using steganography. All the receiver of the data would need to do is download a modified version of the client, then collect the data. From the server side it would just look like a normal TikTok app watching videos.