Last year, the White House lifted the bans on TikTok and WeChat – the popular social media apps produced in China. However, the lifting of the bans was accompanied by an executive order that mandated a broad review of each of the apps to determine whether they pose a security threat to the United States. Biden’s new order directed the Commerce Department to review apps tied to foreign adversaries while it also laid out what should be considered an “unacceptable risk.”
What might fall into the category of “unacceptable” has yet to be fully determined, but it was reported this month that TikTok can circumvent security protections on Apple and Google app stores and provide TikTok’s Beijing-based parent company ByteDance full access to user data.
According to research conducted by “white hat” cybersecurity experts and shared with TheWrap.com, the TikTok app is able to avoid code audits on the app stores. In addition, the researchers warned that TikTok is even capable of changing the app’s behavior as it pleases without users’ knowledge, while it utilizes device tracking that essentially gives the company and third parties an all-access pass to user data.
“These dynamic properties allow TikTok carte blanche access to your device within the scope of what the application can see,” Frank Lockerman, cyber threat engineer at cybersecurity firm Conquest Cyber who reviewed the two “white hat” studies, told TheWrap. “The TikTok browser not only has access to convert from web to device, but it also has the ability to query things on the device itself.”
Business as Usual?
For its part, TikTok has contended that its methods are standard, especially for social media apps relying on ads. However, security researchers warn that the app is mining more data than many users may even know.
“With nation state attacks accelerating in 2021 and into 2022, there are concerns that applications and software providers may be influenced by heavy central government and intelligence agencies, such as TikTok, which is owned by a Chinese subsidiary,” warned Saryu Nayyar, CEO and founder of the cybersecurity research firm Gurucul.
“Embedding spyware and malicious code is not unheard of regardless of which country is the instigator,” Nayyar told ClearanceJobs. “TikTok itself is indeed ripe for misuse within classified environments due to its ability to capture video and audio data and usage on mobile devices.”
These social media apps can be used in even more nefarious ways.
“These security concerns are in addition to the potential for application vulnerabilities that could be exploited regardless of the origin of the software by threat actor groups is important to consider, especially as the platform is hardly a business necessity, especially when it comes to government usage,” added Nayyar. “Regardless, most security teams must actively implement advanced monitoring and detection for suspicious and malicious activity, including abnormal behaviors and emerging threats across any application and device that could impact government IT infrastructure.”
The concern that TikTok could be exploited shouldn’t be surprising, as it remains a major platform for creators and companies – especially in the millennial and Generation Z markets. Moreover, the app has started to attract more “older” users as it is now available on smart TVs and other devices. According to a recent Comscore report, just last year the platform’s reach among users aged 35 to 44 doubled to around 18% over the previous year, while those aged 45 to 54 also accounted for 14.6% of the current users.
Despite its increased popularity, many government agencies and the U.S. military have banned the use of the app. It is considered a cyber threat and is not allowed on government phones, or any BYOD (bring your own device) handsets.
“Suggestions that the app and service are inherently unsafe or dangerous derive from two issues: one, whether the TikTok app can act as Trojan Horse for delivering viruses or malicious code to a user’s phone or computer, and two, the security and safety of user data collected by the app and owned by ByteDance,” technology industry analyst Charles King of Pund-IT told ClearanceJobs.
“Evidence supporting those fears seems pretty thin,” admitted King. “However, the strict oversight and control of corporations by China’s government and its well-known efforts to infiltrate and steal valuable or sensitive data from both U.S. government agencies and corporations are reasons for concern. Given the potentially dangerous or even catastrophic effects of government security breaches or data thefts, requiring employees to refrain from using TikTok at their jobs seems like a minor inconvenience.”
TikTok isn’t being singled out however, Kind explained.
“It’s also worth noting that similar policies and rules have occurred in the past related to other technologies, including USB drives, Apple iPods, smart phones and cameras,” he added. “This may be new technology and medium but the implications and concerns behind the TikTok ban are more or less the same.”