UPDATE – TikTok Ban: Security Experts Weigh in on the App’s Risks

tik-tok ban security concerns

With no hard evidence of abuse, are bans warranted? The real security concerns will likely come after the ban goes into effect, researchers said in our exclusive roundtable.

UPDATE

Chinese apps TikTok and WeChat over the weekend have gotten an 11th hour reprieve from a plan to cut off access to them.

As a ban on U.S. downloads loomed for Sunday, TikTok owner ByteDance reached an agreement to sell significant ownership stakes to Oracle and Walmart. While the deal is reviewed, the Department of Congress has put the download ban on hold for at least a week.

Meanwhile, a U.S. judge blocked the Commerce Department’s plan to outright ban Chinese messaging app WeChat, owned by Tencent.

On the TikTok front, Oracle has agreed to take a 12.5 percent in the Chinese firm, while Walmart will take a 7.5 percent share, according to Bloomberg. Together, the companies will pay a combined $12 billion for the 20 percent ownership share at ByteDance’s current asking price, which values the company at $60 billion overall, sources told the outlet.

The idea is that the 20 percent sale will cover TikTok’s U.S. operations – but ByteDance will still retain an 80 percent stake in the new entity, which will be called TikTok Global, and could still maintain control over the app’s code and technology development.

Nonetheless, President Donald Trump told reporters on Saturday, “I approved the deal in concept.” That’s because, crucially, the deal also gives ByteDance 12 months to hold a U.S. IPO, which will expand the company’s American ownership.

On Fox News on Monday, he elaborated: “[ByteDance] will have nothing to do with it, and if they do, we just won’t make the deal. It’s going to be controlled, totally controlled by Oracle, and I guess they’re going public and they’re buying out the rest of it, they’re buying out a lot, and if we find that they don’t have total control then we’re not going to approve the deal.”

The sale is still pending approval from China.

As far as WeChat goes, Laurel Beeler, a judge for the District Court for the Northern District of California, issued a preliminary injunction over the weekend against a decision by the Commerce Department. The department had planned to ban the communications chat app outright, meaning that “it will be illegal to host or transfer internet traffic associated with [it],” according to a news release.

After reviewing evidence from a group of plaintiffs who argued that the ban impacts their First Amendment rights, Beeler issued her decision.

“The plaintiffs’ evidence reflects that WeChat is effectively the only means of communication for many in the community, not only because China bans other apps, but also because Chinese speakers with limited English proficiency have no options other than WeChat,” Beeler wrote. The app is used by about 20 million people in the U.S., according to Tencent.

Background

TikTok, the video-sharing app that boasts 100 million users in the United States, was set to become much less accessible on Friday as executive orders previously signed by President Trump were planned to go into effect over the weekend. Security and privacy experts had mixed reactions to the news, noting the push-pull between data-privacy concerns and censorship – and highlighting that no concrete security threat has come to light.

Starting Sunday, downloads of TikTok would have been cut off from any app store operating in the U.S. Users that already have the app installed would still be able to use it, without refreshes or updates, until Nov. 12, when a complete ban was set to go into effect.

Trump signed an executive order issuing the ban on Aug. 6, citing “national-security concerns” over the China-based apps. Commerce Secretary Wilbur Ross echoed that reasoning, and said in the release that the apps allow “China’s malicious collection of American citizens’ personal data.”

The Nov. 12 shutdown of TikTok may now be averted by a deal with Oracle and Walmart (the corporations want to take over TikTok’s U.S. operations) — offering hope that the app that has dominated Millennial self-expression for the last few months won’t by the wayside in the United States after all.

Data-Collection Concerns

TikTok parent ByteDance has a reportedly cozy relationship with China’s government, including an alleged strategic partnerships in place with Communist Party of China and its ventures in Beijing and Shanghai. Because user data is housed on servers in China by the company, concerns have surfaced about the possible use of the app to snoop information on U.S. citizens.

Those concerns have led to the app being banned by the U.S. military, including by the Army in January. Shortly thereafter, the app fixed several severe security vulnerabilities, putting the app’s security even more into the spotlight.

But are any of the concerns valid?

Some security and privacy experts that Threatpost reached out to about the TikTok and WeChat ban felt the move was a boon for consumers, and noted that the apps, like many social-media apps, are over-permissioned. TikTok for instance (per its privacy policy) does collect phone and social-network contacts, GPS position, personal information such as age, and any user-generated content posted, such as photos and videos. It can store payment information, too.

“The challenge is balancing public wants, national-security perceptions and valid cybersecurity concerns,” Saryu Nayyar, CEO at Gurucul, said via email. “Social-media applications are important platforms for public discourse and influence, but we have seen numerous incidents where these platforms can be abused to any number of ends…Analysis based on Artificial Intelligence and Big Data can make even mundane information useful in the right hands.”

This reality means that government stepping into the fray could be a good thing, Eve Maler, CTO at ForgeRock, told Threatpost.

“The ban on new app versions of TikTok and WeChat is a significant indication of intensifying restrictions that signal the abuse of personal data is not okay,” she said. “It’s going to be effective, and we can expect more steps to come. These moves significantly increase the cost of wholesale personal data collection and use without permission. WeChat in particular, as an ‘all-in-one’ app that conveniently combines many functions, makes it tempting for people to convert real-life daily functions into digital form. It’s better and safer to enable individuals to give permissions to share their data at a finer grain.”

Chloé Messdaghi, vice president of strategy at Point3 Security, agreed that by virtue of being social-media channels, TikTok and WeChat bear watching – but noted that app bans (rather than entrusting individuals to craft their own data destinies) have their own issues.

“We’ve inherently accepted that [social media is] allowed to collect our data for their purposes, without disclosing how that data is being used,” she told Threatpost. “Today, the major social-media companies know so much more about you and I than we know, and in terms of consumer rights and transparency they act a bit like they are their own personal governments.”

However, she added: “As of now there is no publicly available evidence that China had access to or used this data. It’s just being assumed, and that’s unfortunate from a first amendment standpoint. In 2020, TikTok is one of the dominant platforms that has helped help likeminded people to share information and plans, and come together. Much as Twitter did during Arab Spring, TikTok has served as a catalyst in this summer of social upheaval and progress-minded action. Banning TikTok thwarts that.”

As for WeChat, at least one security expert said there was cause to worry about its ties to cybercrime. “WeChat has previously been used for command and control channels, insider threat and other ways to transfer sensitive information,” James Carder, CSO of LogRhythm, told Threatpost. “It’s also been used as a nation-state espionage tool. Unfortunately, and likely unbeknownst to [a potential] buyer, WeChat is often used as a communication vehicle back to China from smart devices.”

No Hard Evidence of TikTok Data Abuse?

While many believe that TikTok sends personal and usage information back to the Chinese government, there has been no concrete evidence to that effect that has surfaced in existing technical reviews of the app. In fact, Comparitech evaluated TikTok privacy and security concerns in detail and found no evidence that TikTok is collecting user data and sending it to China.

“TikTok hasn’t been shown to collect any more data than other social-media apps,” Paul Bischoff, privacy advocate with Comparitech, told Threatpost. “It sets a dangerous precedent of censorship in the U.S. We’re banning a Chinese app but adopting a Chinese censorship policy. The latter is much more concerning.”

Chris Hauk, consumer privacy champion at Pixel Privacy, agreed.

“Considering no true threat has been proven, it’s a bit of an overreaction,” he told Threatpost. “The censorship aspects of the ban bug me. Sure, ban it from use in government and certain industries if needed. But banning apps for public use is a totally Chinese government kind of thing. Do we want to travel down that path?”

He added, “Further investigation is needed before any bans are enacted. Banning an app due to unproven suspicions is censorship, plain and simple.”

To get the bans lifted, there will likely need to be several longs rounds of deep technology vetting and inspection. Including but not limited to code base review and traffic analysis, according to Brandon Hoffman, CISO at Netenrich, who added that he hopes transparent technical information comes to light.

“I want to say that the government is doing this for a valid reason,” he told Threatpost. “On the other hand, the banning of specific application feels like an infringement on our rights, and to a degree, our privacy – the very same thing they are claiming to protect. In today’s age, consumers are extremely tech-savvy and well-informed. If the government wants their position validated, not that it needs to be, it would make sense for them to disclose a little more technical detail or findings.”

Post-Ban Security Concerns

While problems within the apps may be hard to nail down, Hank Schless, senior manager of security solutions at Lookout, did flag security problems that will likely arise because of the ban itself. Specifically, because TikTok and WeChat will be end-of-life, no patches or updates will be forthcoming – and that’s potentially a heyday for criminals looking to tap into the app’s enormous user base.

“This is risky because if someone discovers a vulnerability in either app, there won’t be a way to release a fix and users will remain exposed to the risk,” Schless told Threatpost.

Also, in light of the ban, those wanting to use the platform may turn to pirated versions – another enormous threat vector.

“Threat actors will likely start distributing malicious versions of the app through various channels such as other social media platforms,” he noted. “They can identify targets that fall within the primary demographic of TikTok and WeChat users and send them socially engineered messages with links to a malicious app.”

This has already happened: When India banned the app, cybercriminals distributed something called “TikTok Pro” via social media, SMS and messaging platforms within a week of the ban.

“The threat actor behind fake TikTok Pro app in India was able to build and distribute the app in a very short time frame once the ban went out,” according to Schless. “This exemplifies how cybercriminals could take advantage of a similar situation in the U.S. and profit from the public’s desire for the app or to steal personal data. Everyone should be wary of future attempts to distribute fake versions of these two apps targeting our mobile devices.”

It remains to be seen how the situation finally shakes out, but for its part, TikTok said it would continue to argue its case.

“Our community of 100 million US users love TikTok because it’s a home for entertainment, self-expression and connection,” the company said in a statement on Friday, “and we’re committed to protecting their privacy and safety as we continue working to bring joy to families and meaningful careers to those who create on our platform.”

This article was originally published on Friday, Sept. 18, but was updated at 10 a.m. ET on Monday, Sept, 21 to reflect significant weekend developments.

Suggested articles