Social media app TikTok continues to stir controversy because of its ties to China. While the company appointed an American CEO in an effort to rebuild the trust of the US, that doesn’t change the fact that TikTok is owned by Beijing-based company ByteDance. US Administration officials have been looking at the national security risk specifically as it relates to the gathering of information on American citizens by a foreign adversary. On August 6, the White House announced a ban on TikTok in the United States by executive order.

As more and more businesses grapple with the idea of banning the app, there are concerns that go beyond the company’s links to the Chinese government. Businesses have also been wondering if the app itself is safe and secure?

In light of the ban, companies in the US should also be worried about what happens to the millions of devices that have an abandoned app installed that might not be receiving regular updates and security patches anymore. There are plenty of risks associated with abandoned apps which we highlighted in this recent piece of research.

We conducted a risk assessment of the TikTok app to help our customers decide whether or not to ban the app on employee devices based on the security aspects of the app build.

Security history

The TikTok app has a history of security and privacy issues that have made the news, a few listed below:

  • TikTok has been called out for using an insecure HTTP connection for the delivery of its video content which leaves it open to interception and manipulation. TikTok used plain HTTP for content transfer prior version 15.9.0. Then partially fixed but not all APIs are fully secured. 
  • Users discovered that TikTok was monitoring content from the clipboard every few keystrokes, even when the app was running in the background. This was fixed in the latest update, but the real reason why they did it in the first place is unknown. 
  • TikTok has been banned on devices used by the US government, Amazon (ban was removed shortly after), and few other prominent companies including Wells Fargo. India also banned TikTok in June 2020, citing national security concerns. These reactions have created bad optics and raised concerns about not only where the data is going, but what data it is collecting (see listed permissions below).

Security issues of the app itself

The many security blunders that have pushed TikTok into the spotlight suggest it is not designed with security front of mind. The app uses techniques which could lead to local or remote exploits (insecure copy in memory, etc.), it collects an extraordinary amount of information, and prevents code auditing.

TikkTok collects information about users at every chance – for example, if you want to install the app from their website, you can enter your phone number and they send you an SMS containing the download link, which is unnecessary step considering you can just navigate to the app stores instead.

The source code of the app is heavily obfuscated making it difficult to provide a comprehensive security audit that covers 100% of its functionality. Obfuscation also prevents competitors from copying functionality. Obfuscation itself is not a conclusive indicator of risk, but in connection with active anti-debugging and anti-reversing techniques (which our researchers confirmed TikTok is using) it is very suspicious. It is built intentionally (not as a side-effect of any SDK) and clearly prevents researchers from code auditing. Apps like WhatsApp also use code protection techniques but do not prevent verification of basic functionalities like secure communication, etc.

Additionally, the content on the network is not moderated even if it’s explicit or problematic.

We performed a cursory analysis of the latest versions of each app available at the time of this write-up. The results are below.

TikTok for Android

App risk level Medium
Version tested 16.6.43
Number of permissions 67
Number of embedded URLs (network connections) 6
Number of third-party libraries 1
Notes: Excessive number of permissions requested. According to our data, the average number of permissions requested by Android apps is nine. A handful of high risk permissions that could lead to device compromise. Various permissions allow modification of system behavior depending on OS version and vendor (audio settings, wake up lock, etc.). On Huawei and other Chinese-made handsets the app could modify system settings.

 

The riskiest Android permissions requested by TikTok 
Permission Risk Level  Percentage of other apps that request this permission
Internet High 90%
Access network state High 86%
Write to external storage High 68%
Wake lock High 62%
Access WiFi state High 45%
Receive High 58%
Access fine location High 20%
Read external storage High 45%
Access coarse location High 19%
Receive boot completed High 37%
Camera High 17%
Read contacts High 5%
Get tasks High 10%
Write settings High 12%
Record audio High 8%
Receive ADM Message High 1%
Billing High 42%
Write sync settings High 3%
Modify audio settings High 6%
Request install packages High 5%
Reorder tasks High 2%
Bind get install referrer service High 63%
Use credentials High 3%
Manage accounts High 2%
Authenticate accounts High 4%

 

TikTok for iOS

App risk level Medium
Version tested  16.6.4
Number of permissions 7
App Transport Security (ATS) Disabled
Number of extracted URLs 366
Number of third-party libraries 4
Notes: Disabled ATS (allows insecure HTTP connection) which is used by few APIs. Apps often disable ATS to optimize media transfer. The app uses sensitive APIs which are normally not allowed by Apple. For example exact location, contact list access, etc. Common apps would be rejected during the App Store review process if they would use such APIs. 

 

The riskiest iOS permissions requested by TikTok
Permission Risk Level Percentage of other apps that request this permission
Location When In Use High 51%
Microphone High 23%
Photo Library High 20%
Contacts High 16%
Camera High 78%

 

Click here to learn more about how Wandera assesses the risk level of applications.

Growing popularity

According to Sensor Tower, the app has been downloaded more than 2 billion times. We looked at our own database of protected mobile devices to see if this surge in downloads is reflected.

The below chart is the cumulative increase in the number of TikTok downloads on protected mobile devices within our customer base. This represents the overall number of downloads compared with a baseline number taken 12 months ago (July 2019).

The below chart indicates that the rate of TikTok downloads was climbing rapidly since December 2019 and has slowly started to slow down in June 2020. Keeping in mind that even with this slowdown the number of daily installations is still around five times more than it was this time last year (July 2019).

Recommendations

Despite the ban, an abandoned TikTok will probably remain installed by its loyal users, so it is up to businesses to look at the key risk indicators uncovered by various researchers are in breach of corporate policy. Businesses also need to weigh up the risk of having an app installed that is no longer receiving regular updates. 

Whether you decide to force the removal of TikTok, place it on a watch list, or simply keep an eye on it, we recommend using a mobile security service like Wandera to take control of your app risk management.

  1. If you decide to force the removal of TikTok, Wandera can enable you to enforce a policy to block network connections of the app until it is removed.
  2. If future versions of the app include malicious domains in the app binary, Wandera can apply blocks to that specific bad domain. Wandera’s App Insights provides you with a live list of embedded domains.
  3. If a version of TikTok is found to be extremely vulnerable, you can use Wandera to pinpoint exactly where in your fleet that version is installed.
  4. If phishing is (or becomes) embedded in the TikTok app, Wandera can scan network traffic and detect that malicious phishing domain the app is reaching out to and block any traffic coming from the app to that domain.
  5. If the app fails to use encryption while transferring personal data externally, Wandera will scan data in transit for unencrypted information and notify the admin in the event a leak is discovered. 

Wandera customers can use the ‘App Insights’ feature (under Security > App Insights) to identify apps that are currently in use within the mobile fleet and to determine which specific devices are impacted, should the ban go into effect. Additionally, the ‘App WatchList’ feature (under Security > App Insights > App WatchList) can be used to set up alerts that will flag future installations of non-compliant apps. To add Tiktok to the ‘App WatchList’ simply use the package name “com.zhiliaoapp.musically” to flag future installs on either Android or iOS devices. Finally, the custom blacklist feature (under Policy > Block Policy) can be used to prevent the app from communicating with specified endpoints, effectively rendering the app ‘disconnected’ when installed on a protected device.

If you would like to know more about managing the risk of TikTok on your employee devices, get in touch with one of our experts.