If you've been paying attention to many other news outlets in the past few weeks, you've undoubtedly seen an increasingly alarming number of reports on the security and privacy surrounding TikTok.
For the uninitiated, TikTok is the fastest-growing social network in the world. It features 15- to 60-second video clips that are set to libraries of popular music. TikTok started as Musical.ly (lip-syncing app) that Chinese company ByteDance bought in 2018, re-branded and re-launched.
TikTok is estimated to have 800 million active monthly users worldwide, approximately 70 million in the U.S. alone, and more than 2 billion worldwide downloads of the phone app. At various times it is the No. 1 downloaded app in both Google Play and Apple iTunes.
TikTok has for months been facing increasing scrutiny of how the application works, what does it track, and is the Chinese government involved. This is amplified even more with COVID-19 origins in Wuhan, China, and blocking of other tech products from Chinese company Huawei.
I wanted to dig into a bit more of the technical aspects of how TikTok worked and what it tracked. I attended several digital-marketing training seminars last year, and TikTok is branded as the can’t-miss, get-in-early business opportunity. The demographics are skewing older and it’s not just teenagers doing dumb stuff; that’s still a big piece. Many branding consultants were preaching that you weren't doing it right if you weren’t on TikTok. I did try it out for approximately a month earlier this year.
Trouble in TikTok Land
During my research, I immediately came across a security engineer on Reddit that goes by the name bangorlol. He was able to reverse engineer the app successfully and his findings have blown up on the internet and various other blog posts. He indicated that the TikTok app is a significant data collection service under the guise of a social media network.
- Every detail regarding your phone’s hardware
- Other apps that are installed (including data on things you’ve deleted)
- Anything related to the network you are connected to (IP addresses, router mac, WiFi info)
- Persistent GPS pinging, roughly once every 30 seconds
- TikTok logging in the app is remotely configurable
- The Android version allowed for downloading of remote zip files and execution (a violation of Google Plays terms of service)
- For a long period of time, they were not using secure protocols such as HTTPS (data was leaked)
- The app is also designed to be extremely hard to reverse engineer and they spent more time trying to actively hide the types and amounts of data they were collecting.
- Read the full thread at https://bit.ly/39fBFiU
In the past couple of weeks, it was discovered that TikTok was accessing the clipboard content (think copy-and-paste functions) every few keystrokes even when it was just running in the background. They are supposed to be patching this “flaw” in an upcoming release.
TikTok is BANNED!
The studies performed on TikTok have already led to the Navy, the Army, Transportation Security Administration, State Department and Homeland Security from banning the app on government-issued devices. Wells Fargo has banned it from their corporate devices. India has banned TikTok and Australia is starting to take a hard look.
TikTok’s response to this point has been they have an American CEO, the data centers are not in China and the Chinese government has yet to ask for data. But can you take their word for it?
You can go down a deep dark hole with the amount of data that is collected on us every time we click a button.
At best case, TikTok seems to be a haphazardously designed piece of software slapped together by people that didn’t know what they were doing. This doesn’t fly with me because TikTok’s owner ByteDance made $3 billion in profit last year on $17 billion in revenue. They’ve got the resources to know better.
At worst case, they have created a data-collection ocean that has not yet been utilized for nefarious purposes.
Cybersecurity is one of the many hats I wear. There is absolutely no way I kept this installed on my devices, and I would urge each of you to uninstall as well. I already have significant issues with U.S.-based privacy policies from the government and private corporations now; I am not adding this to the mix. And make sure you have a complete understanding of what your kids are doing on these platforms.
The old adage is “if you're not paying for the product, you are the product” rings very true with TikTok and pretty much any other social media platform that exists.
If you would like a detail report from a mobile security firm check out ZIMPERIUM: https://get.zimperium.com/z3a-report_tik-tok-app/.