Seeky

Why is TikTok dangerous and how are other apps doing?

Date of issue

22. 3. 2023

Are you interested in the described topic?

contact us
Why is TikTok dangerous and how are other apps doing?

The National Office of Cyber and Information Security issued an 8. March 2023 warning “of a cybersecurity threat involving the installation and use of the TikTok app on devices accessing:

  • Critical Information Infrastructure Information and Communication Systems,
  • Basic services to information systems
  • Important information systems.

According to the authority, the threat level is “High – Threat is likely to very likely.”

The reason for this warning is that “TikTok, developed and operated by the Chinese company ByteDance , collects an excessive amount of user data”.

Citing the 2021 Annual Report of the Security Information Service (BIS), the NCIS further states that “the PRC poses a growing complex intelligence threat.”

ByteDance is an entity subject to Chinese national legislation. For example, the PRC’s laws on state security and state intelligence activities impose a general obligation on all Chinese citizens and organizations to provide assistance to state authorities on state security issues, an obligation to support national intelligence activities, and an obligation to provide cooperation and information on foreign clients of Chinese companies in the event that state authorities suspect them of espionage activities.

“The data obtained by ByteDance can thus be used to target cyber-attacks on specific individuals and thus increase the risk of their success (e.g. through spear phishing). At the same time, this data can be used to blackmail persons of interest and thus undermine the security or strategic interests of the Czech Republic.”

Read more at https://www.nukib.cz/download/uredni_deska/2023-03-08_Varovani-TikTok_final.pdf

Why is TikTok a threat? What about other apps?

We performed a quick static analysis of the application using the open source MobSF tool. What did we find?

🔴 TIKTOK on Apple devices
iOS App Version: 28.4.0, ID: com.zhiliaoapp.musically
❌ Security score: 38/100
Risk rating: C (High Risk)

Main problems:

  • The app requests access to camera, photo library, music, microphone, calendar, contacts, location detection even when running in the background
  • App Transport Security restrictions are disabled for all connections – this allows the built-in browser to capture all data entered by the user in the app. Thus, even when the TikTok app is loaded third party website – e.g. e-shop.
  • The application may be susceptible to exploitation by known vulnerabilities C WE-676: Use of Potentially Dangerous Function, CWE-789: Uncontrolled Memory Allocation

🔴 TIKTOK on Android
Android App Version: 28.3.3, ID: com.zhiliaoapp.musically
❌ Security score: 40/100
Risk rating: B (Medium Risk)!

Even on the Android platform, the problems are similar:

  • The application requires 75 permissions
  • Trying to bypass SSL pinning
  • Uses weak encryption algorithms, sends data in open form (clear text)
  • Captures all user entered data within the application

What about other platforms?

It is important to note that other social apps such as. Instagram, Facebook, Twitter, etc.

So, for the sake of interest, we took a look at the Instagram app for iOS. How’d she do? Even worse than TikTok… Meta, the company behind the Instagram app, may not be subject to Chinese law, but the app’s behaviour is still alarming.

🔴 INSTAGRAM for Apple devices
Identifier: com.zhiliaoapp.musically
❌ Security score: 26/100
Rist rating: F (Critical risk)❗️❗️

Warning is one thing, but how to technically implement the appropriate measures?

Mobile Device Management (MDM), or Unified Endpoint Management (UEM), is a solution that:

For pure work equipment (COBO) it can:

  • Either completely control the installation of applications and limit the list of applications to those explicitly allowed,
  • or detect unwanted applications and automate corrective action – e.g. temporarily block device access to the organization’s data.

The installation or use of TikTok can be completely prevented.

For BYOD or corporate devices with a private profile (COPE), it can:

  • Secure the organization’s data with containerization technology and separate it from private data.
  • Restrict access to your calendar and contacts in your work profile.
  • Control data sharing using the clipboard between private and corporate profiles.

It can therefore limit the range of data that TikTok can access.

New versions of mobile operating systems place great emphasis on protecting user privacy. Thus, it is no longer necessary to detect so-called non-resettable device identifiers (MAC, IMEI…) at the application level and use them to track the device.

Using mobile device management, we can force an operating system (OS) update and also define the minimum OS version allowed to access the organization’s data.

The next level of mobile security is the integration of MDM/UEM solutions with modern Mobile Threat Defense (MTD) tools.

With MTD, we can protect devices from other attack vectors such as privilege escalation, device takeover, network attacks and phishing.

More posts

We live with digital technologies. And that’s why we write about them.

Latest Articles
More posts
1/10

Or contact us directly

Contact us

Fill out our form, we will contact you within a few days with a proposal for a non-binding consultation.