This blog was written and produced by Michael Cross, Security Consultant II at FoxPointe Solutions. Looking to get in touch with Michael? Reach out today: firstname.lastname@example.org.
While the majority of America’s attention is undoubtedly currently focused on issues of race and the ongoing COVID-19 pandemic, two weeks ago, India made a decision that has far-reaching global implications. In a press release issued on June 29th, the Press Information Bureau of India announced that the country was banning the use of TikTok, a social networking application owned by the Beijing-based technology company ByteDance.
TikTok has come under increased scrutiny regarding its data collection practices, and given China’s proclivity to engage in cyber and intellectual property (IP)-based attacks, flags are being raised and questions are being asked regarding the true nature of the app. As early as 2019, The Peterson Institute for International Economics described TikTok as a “Huawei-sized” problem. Huawei, a Chinese technology company, has been repeatedly criticized for its business practices, and in 2017, a grand jury agreed and ordered the tech giant to pay 4.8 million dollars to T-Mobile for committing industrial espionage. While the threat posed by TikTok may not be as economically impactful, this conclusion suggests that the national security implications are just as large.
To put the viral popularity of TikTok into perspective, it has been the most downloaded app in the App Store for the past two years – the number of times it has been downloaded made it the seventh most popular app of the last decade. With 800 million active users, TikTok is widely used across all demographics; however, according to its creators, the target audience for the app is and has always been users who are 18 years old and below. To this day, approximately 41% of TikTok users are between the ages of 16 and 24. TikTok’s popularity with a younger demographic is worrying, as they are less likely to understand the security implications of downloading and using TikTok.
But what are those risks? In layman’s terms, they are quite astounding.
Two months ago, security researchers claimed to have successfully reverse-engineered TikTok for the first time, and some of the findings suggest a much more malicious purpose than the innocuous video sharing platform that TikTok is marketed to be. To start, TikTok does all of the obtrusive data scraping that we are currently having global conversations regarding. According to researchers, there are application programming interfaces (APIs) to obtain phone hardware usage (memory, disk space, hardware IDs, etc.), other application data, and phone network information (IP addresses, Wi-Fi access point names, etc.). In addition, because TikTok allows you to “tag” your posts with a location, GPS information is likely being harvested, with some variants of the application grabbing phone GPS data every 30 seconds.
While all of the abovementioned security concerns are grave in and of themselves, there were additional functions and services of the app designed to be easily exploitable. For example, when a user downloads TikTok onto their device, the application installs a proxy server on the user’s device to transcode the media. While transcoding media is a common function of multi-media applications, the problem is that this server is set up without back-end authentication, meaning anyone could potentially connect to the server, and essentially pivot to the user’s device. The scary implication of this configuration is that the server used to transcode media could effectively be used as a back door onto the device.
There are also functions of the TikTok application that serve no legitimate purpose. For example, in the Android version of the application, there are lines of code that provide the functionality to download a remote .zip file, unzip it, and execute the contents of the file. This function is often used for downloading or introducing malware onto a system. In short, there is no reason that a mobile application would need this ability.
It would appear as though the Department of State agrees, as just last week, Secretary of State Mike Pompeo admitted that the United States was “looking at” banning several Chinese social media apps, including TikTok. When asked by reporters if he thought it was a good idea for Americans to download TikTok, Pompeo responded, “Only if you want your private data in the hands of the Chinese Communist Party”.
The ongoing controversy surrounding TikTok serves as a reminder of how important it is to understand how the technologies and systems we use actually function. Any organization which handles controlled data would be required to perform an internal risk assessment of new technologies prior to their implementation, to ensure the functions and security controls in place are in accordance with all relevant data security laws. Just because there is no over-arching law like HIPAA or NY SHIELD which requires the individual to adequately protect their own data, does not mean we should not do the same. Using the same scrutiny, it’s important to understand how our own personal information is exposed, and the security risks associated with downloading applications for our own personal use.
For organizations that allow their employees to receive corporate data on their iPhones, Androids, and/or tablets it is critical to perform these risk assessments, as the security implications around TikTok’s potential access to data could leave the organization potentially exposed. With 1.5 billion downloads to date, the chances are high that there are devices on your network with the TikTok application installed.
To learn more about risk management and safeguarding your organization’s or your own non-public information, contact our experts at FoxPointe Solutions today.
FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.