TikTok, the video-sharing app that boasts 100 million users in the United States, is about to become much less accessible as executive orders previously signed by President Trump start to go into effect. Security and privacy experts had mixed reactions to the news, noting the push-pull between data-privacy concerns and censorship – and highlighting that no concrete security threat has come to light.
Starting Sunday, downloads of TikTok will be cut off from any app store operating in the U.S. Users that already have the app installed will still be able to use it, without refreshes or updates, until Nov. 12, when a complete ban will go into effect. Meanwhile, also starting Sunday, WeChat will be banned outright, meaning that “it will be illegal to host or transfer internet traffic associated with [it],” according to a news release from the U.S. Department of Commerce.
The move comes after Trump signed an executive order issuing the ban on Aug. 6, citing “national-security concerns” over the China-based apps. Commerce Secretary Wilbur Ross echoed that reasoning, and said in the release that the apps allow “China’s malicious collection of American citizens’ personal data.”
While the Nov. 12 shutdown of TikTok may be averted by a deal with Oracle (the corporation wants to take over TikTok’s U.S. operations), for now the very real possibility exists that the app that has dominated Millennial self-expression for the last few months will go by the wayside in the United States.
Data-Collection Concerns
TikTok parent ByteDance has a reportedly cozy relationship with China’s government, including an alleged strategic partnerships in place with Communist Party of China and its ventures in Beijing and Shanghai. Because user data is housed on servers in China by the company, concerns have surfaced about the possible use of the app to snoop information on U.S. citizens.
Those concerns have led to the app being banned by the U.S. military, including by the Army in January. Shortly thereafter, the app fixed several severe security vulnerabilities, putting the app’s security even more into the spotlight.
But are any of the concerns valid?
Some security and privacy experts that Threatpost reached out to about the TikTok and WeChat ban felt the move was a boon for consumers, and noted that the apps, like many social-media apps, are over-permissioned. TikTok for instance (per its privacy policy) does collect phone and social-network contacts, GPS position, personal information such as age, and any user-generated content posted, such as photos and videos. It can store payment information, too.
“The challenge is balancing public wants, national-security perceptions and valid cybersecurity concerns,” Saryu Nayyar, CEO at Gurucul, said via email. “Social-media applications are important platforms for public discourse and influence, but we have seen numerous incidents where these platforms can be abused to any number of ends…Analysis based on Artificial Intelligence and Big Data can make even mundane information useful in the right hands.”
This reality means that government stepping into the fray could be a good thing, Eve Maler, CTO at ForgeRock, told Threatpost.
“The ban on new app versions of TikTok and WeChat is a significant indication of intensifying restrictions that signal the abuse of personal data is not okay,” she said. “It’s going to be effective, and we can expect more steps to come. These moves significantly increase the cost of wholesale personal data collection and use without permission. WeChat in particular, as an ‘all-in-one’ app that conveniently combines many functions, makes it tempting for people to convert real-life daily functions into digital form. It’s better and safer to enable individuals to give permissions to share their data at a finer grain.”
Chloé Messdaghi, vice president of strategy at Point3 Security, agreed that by virtue of being social-media channels, TikTok and WeChat bear watching – but noted that app bans (rather than entrusting individuals to craft their own data destinies) have their own issues.
“We’ve inherently accepted that [social media is] allowed to collect our data for their purposes, without disclosing how that data is being used,” she told Threatpost. “Today, the major social-media companies know so much more about you and I than we know, and in terms of consumer rights and transparency they act a bit like they are their own personal governments.”
However, she added: “As of now there is no publicly available evidence that China had access to or used this data. It’s just being assumed, and that’s unfortunate from a first amendment standpoint. In 2020, TikTok is one of the dominant platforms that has helped help likeminded people to share information and plans, and come together. Much as Twitter did during Arab Spring, TikTok has served as a catalyst in this summer of social upheaval and progress-minded action. Banning TikTok thwarts that.”
No Hard Evidence of Data Abuse?
While many believe that TikTok sends personal and usage information back to the Chinese government, there has been no concrete evidence to that effect that has surfaced in existing technical reviews of the app. In fact, Comparitech evaluated TikTok privacy and security concerns in detail and found no evidence that TikTok is collecting user data and sending it to China.
“TikTok hasn’t been shown to collect any more data than other social-media apps,” Paul Bischoff, privacy advocate with Comparitech, told Threatpost. “It sets a dangerous precedent of censorship in the U.S. We’re banning a Chinese app but adopting a Chinese censorship policy. The latter is much more concerning.”
Chris Hauk, consumer privacy champion at Pixel Privacy, agreed.
“Considering no true threat has been proven, it’s a bit of an overreaction,” he told Threatpost. “The censorship aspects of the ban bug me. Sure, ban it from use in government and certain industries if needed. But banning apps for public use is a totally Chinese government kind of thing. Do we want to travel down that path?”
He added, “Further investigation is needed before any bans are enacted. Banning an app due to unproven suspicions is censorship, plain and simple.”
To get the bans lifted, there will likely need to be several longs rounds of deep technology vetting and inspection. Including but not limited to code base review and traffic analysis, according to Brandon Hoffman, CISO at Netenrich, who added that he hopes transparent technical information comes to light.
“I want to say that the government is doing this for a valid reason,” he told Threatpost. “On the other hand, the banning of specific application feels like an infringement on our rights, and to a degree, our privacy – the very same thing they are claiming to protect. In today’s age, consumers are extremely tech-savvy and well-informed. If the government wants their position validated, not that it needs to be, it would make sense for them to disclose a little more technical detail or findings.”
Post-Ban Security Concerns
While problems within the apps may be hard to nail down, Hank Schless, senior manager of security solutions at Lookout, did flag security problems that will likely arise because of the ban itself. Specifically, because TikTok and WeChat will be end-of-life, no patches or updates will be forthcoming – and that’s potentially a heyday for criminals looking to tap into the app’s enormous user base.
“This is risky because if someone discovers a vulnerability in either app, there won’t be a way to release a fix and users will remain exposed to the risk,” Schless told Threatpost.
Also, in light of the ban, those wanting to use the platform may turn to pirated versions – another enormous threat vector.
“Threat actors will likely start distributing malicious versions of the app through various channels such as other social media platforms,” he noted. “They can identify targets that fall within the primary demographic of TikTok and WeChat users and send them socially engineered messages with links to a malicious app.”
This has already happened: When India banned the app, cybercriminals distributed something called “TikTok Pro” via social media, SMS and messaging platforms within a week of the ban.
“The threat actor behind fake TikTok Pro app in India was able to build and distribute the app in a very short time frame once the ban went out,” according to Schless. “This exemplifies how cybercriminals could take advantage of a similar situation in the U.S. and profit from the public’s desire for the app or to steal personal data. Everyone should be wary of future attempts to distribute fake versions of these two apps targeting our mobile devices.”
It remains to be seen how the situation finally shakes out, but for its part, TikTok said it would continue to argue its case.
“Our community of 100 million US users love TikTok because it’s a home for entertainment, self-expression and connection,” the company said in a statement on Friday, “and we’re committed to protecting their privacy and safety as we continue working to bring joy to families and meaningful careers to those who create on our platform.”