For anyone living under a rock, TikTok is a Chinese video-sharing social network platform. Used by millions of people across the world, the United States Government may ban TikTok according to Secretary of State Mike Pompeo and President Donald Trump due to national security concerns.
Attention government contractors, and any other entity with information attractive to Advance Persistent Threats (APTs): heed warnings from the current administration, Apple, Amazon, and the Department of Defense and institute policies to prohibit use of TikTok by certain employees – individually and on company workstations.
TikTok is owned by ByteDance, a Beijing internet technology company founded in 2012 by Zhang Yiming. Mr. Yiming is a Chinese entrepreneur, who’s wealth is valued north of eleven figures. While it's alleged that TikTok is influenced by the Chinese Communist Party, facts supporting these claims are sparse. Still, Mr. Yiming issued an April 2018 apology under duress from the Chinese government after another ByteDance app was censored for offending “core values of socialism.” Last month, TikTok endeavored to distance itself from China by hiring Kevin Mayer as its American CEO and Chinese COO. Mr. Mayer is the former chairman of Walt Disney Direct-to-Consumer & International.
Despite TikTok’s efforts to “Americanize” the app, the warnings regarding TikTok continue to build and, regardless of context, cannot be ignored:
1. December 2019: Research teams employed by Israeli cybersecurity company Check Point found vulnerabilities within the TikTok application, which allowed attackers to:
Access TikTok accounts and manipulate their content.
Upload unauthorized videos.
Make private “hidden” videos public.
Reveal personal information saved on the account.
2. January 2020: The Department of Defense banned its Servicemembers from downloading and utilizing TikTok on government-issued devices following warnings from intelligence centers within the various branches of service and the Pentagon.
3. April 2020: Reddit user and technology enthusiast “bangorlol” reverse-engineered TikTok to understand its operations. “Bangorlol” described TikTok as “a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device... well, they're using it.” In addition to previously failing to use a secure socket layer, TikTok gathered the following types of information from its users:
“Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)
Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
Whether or not you're rooted/jailbroken
Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC
They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication”
Bangorlol noted the “[t]he scariest part of all of this is that much of the logging they're doing is remotely configurable...”
4. June 2020: Cybersecurity writer Zak Doffman wrote several articles for Forbes, covering two notable events involving TikTok:
Apple’s iOS 14 security and privacy team caught TikTok secretly accessing the clipboard on users’ devices. Therefore, anything copied from one device to another may be read by TikTok such as emails, passwords, and text messages.
India banned 59 different Chinese apps, including TikTok, claiming the apps were illegally collecting and using data from users phones and thereby creating a threat to India’s national security.
5. July 2020: On July 10, 2020 Amazon advised its employees via email to remove TikTok from their cellphones. Five hours later, Amazon retracted its email claiming it was sent in error. Wells Fargo similarly ordered employees who downloaded TikTok on corporate devices to remove the application for security concerns.
With eight months of press releases from both the U.S. Govt. and private industry, CISOs/CSOs/CTOs should consider themselves warned about the potential privacy concerns involving TikTok. Corporate policies must be issued advising employees to remove the application from private and company-issued workstations.
While seemingly extreme, the telecommuting necessitated by the pandemic blurred the lines between work and play on smart devices. Companies should not sit comfortably in the absence of reported fines issued by the Federal Trade Commission or Attorney Generals’ offices, as legal outcomes often lag years behind the initial event.