TikTok is kind of fun. It’s like the new Vine (https://vine.co) of the 2020s. People (mostly teenagers, amongst its 65 million US users) make short videos that are funny or sexy or mind-numbingly dumb. Early on, I actually did download and install it for a day or two and could have wasted hours watching amateur videographers do their thing. But then, after hearing some concerns about the privacy and cybersecurity of it, I immediately uninstalled it.
TikTok Cybersecurity Concerns are a Bipartisan Issue
It turns out that the whole TikTok flap is a bipartisan issue, and that’s nice to hear these days. Last fall, Senators Chuck Schumer (D-NY) and Tom Cotton (R-AR) signed a joint letter asking the President’s Director of National Intelligence, Joseph Maguire, to look into the security of TikTok amid concerns that its maker, a Beijing-based company called ByteDance, was back-dooring all of the private data from the app to the Chinese government.
In July, President Trump stated that he would ban the popular app from operating in the United States, rejecting a potential deal for Microsoft to buy the app from its Chinese-owned parent company. Later, he softened this stance, stating that he would give the tech giant 45 days to work out a deal in which a US version of TikTok might operate, separate from the Chinese platform, and under watchful eyes of the Committee on Foreign Investment in the United States.
The Joe Biden campaign, meanwhile, has told staffers to delete TikTok from their personal and work phones citing the security and privacy concerns. See? A true bipartisan issue.
Here’s What We Know About the App
Here’s what we know about the app at this point: it collects and sends a lot of data to China. Some of this is consistent with other social media apps, but some of it seems excessive. When installed, TikTok asks users to grant several permissions, including the use of the camera, microphone, and contact list. However, it may also collect location data (GPS position and connection Wi-Fi access points), along with information from other apps on the device. Where this data ends up is anyone’s guess, but there’s a good chance it’s PLA Unit 61398.
There’s a California lawsuit that alleges that since TikTok videos often include close-ups of people’s faces, these allow ByteDance to gather biometric data on its users. Once a user shoots a video and clicks the next button, the videos are transferred to various domains without the user’s knowledge. This happens before a user even saves or posts a video on the app, according to the lawsuit.
What could the Chinese do with all this biometric data? Well, besides using it to bypass facial recognition security mechanisms, they could also do things such as map out rooms and locations by using “feature extraction” machine learning. They could also use it to create new, advanced deep-fake videos utilized as propaganda to disrupt and divide the US populace.
In addition, TikTok has had numerous well-publicized security issues. Checkpoint Security (article) discovered a number of vulnerabilities in the app, including those that would allow attackers to do all of the following:
- Take over TikTok accounts and manipulate their content
- Delete videos
- Upload unauthorized videos
- Make private “hidden” videos public
- Reveal personal information saved on the account (e.g., private email address)
The first of those security flaws is the ability for any user to send SMS messages to any other user that appear to come from TikTok. Checkpoint also found that TikTok’s ad system was vulnerable to cross-site scripting (XSS) attacks, allowing attackers to redirect people to phishing or malware sites.
Security researchers Talal Haj Bakry and Tommy Mysk showed that TikTok uses HTTP for transport over its Content Delivery Networks, because it’s faster than the secure, encrypted HTTPS. That means attackers could eavesdrop on private videos or else manipulate the stream to insert their own data or videos. The same researchers also showed TikTok attempting to exploit a security flaw in iOS 14 to steal passwords and sensitive data from other apps on Apple devices.
Here’s the thing: some people don’t really care about the security of TikTok. They just want their cat videos.
That’s probably why Trump changed his stance from the initial hardline position. He was trying to protect national security interests, but a good portion of his constituency wants funny clips regardless of their privacy leaks. So, now we shall see whether the Microsoft-TikTok marriage comes to fruition.
As for me, this app checks all the boxes:
- Ambiguous privacy statement
- Data goes who-knows-where
- Full of bugs and vulnerabilities
- Potentially steals data from other apps
All this points to: I don’t want it.
By the way, if you ever need help evaluating a potential piece of software, Abacode Cybersecurity can help. Our Cybersecurity Applied Research Lab (CARL) is a place where expert engineers and analysts can try out emerging technologies, put them through their paces, and make recommendations on improvements. In addition, CARL is where our Security Operations Center (SOC) analysts perform advanced threat-hunting activities. When an anomaly is detected, our analysts utilize the MITRE Att&Ck® framework or develop other correlation rules to analyze traffic over time and determine patterns or methods of attack. This allows us to assist in security architecture feedback and overall improvement.
Contact us today to put Abacode’s CARL to work for you.