With over a billion downloads on Google Play Store alone and consistently near the top of app rankings on both Apple and Google platforms, TikTok has been under scrutiny for its privacy and security risks. This is a cause for significant concern, as the app’s large user base means any such risks could impact a massive portion of the US and global populations. In this blog, we will focus on the permissions requested by the app, as well as other key takeaways that need attention.

Back in 2019 we looked into some of these risks in more detail and found some pretty alarming stuff, you can get up to speed by reading the Politico article here. The short version is that the app collected a ton of data and contained some questionable permissions to look at data it didn’t need (including all the data that showed up in your notifications). All of this raised a question, is TikTok the only app doing this?

To find the answer, we leveraged our Q-Scout platform that analyzes mobile apps and began testing. For this analysis we grabbed a sample set of some of the most popular apps in the store with a few core themes which you will see show up in our charts below.

• Bytedance – Apps developed by TikTok’s parent company, Bytedance.
• Social – Popular social media apps from a diverse range of developers.
• Trending – Apps (often from lesser known developers) released around a popular trend that shoot up the recommended list in the app stores. This focused on apps providing AI chat, capturing the zeitgeist for early 2023.
• Utility – VPNs, QR Scanners, and some of the other most popular tools in the store.
• Top Apps – A selection of the most popular apps in the different app store categories which were not already included in the other categories.

On the Android operating system there are different types of permissions which Google breaks down into several different categories based on their implied risk, summarized below and available in detail on their developer documentation.

• Normal – Default value, a permission that is automatically granted to the app without your consent.
• Dangerous – Requires explicit consent from the user, these are the ones you are likely most familiar with when interacting with your device.
• Signature – Permissions which are only granted if the signature of the app matches the signature of the permission. Most commonly used to grant access to system level permissions defined by the device manufacturers. When used to access system level permissions these tend to have the highest level of impact to user privacy.

What many may not know is that apps can ask for additional permissions which are defined ad-hoc by other apps and manufacturers. These are not controlled by Google or the operating system nor are they visible to the users in the Android UI. Here we define these hidden permissions as “Custom” permissions. This type of permission is what TikTok previously leveraged to gain access to your notification data without asking you. It asked for a Custom permission defined by another app that had asked for your Notification permission. This example is why these permissions require attention, they may skirt the operating system defined protections users are familiar with to grant access to data without consent or knowledge from the user.

In the chart above you can see the outcome of our analysis on permissions. We have compared TikTok’s permissions with the permissions of our other categories to show how it matches up on average. You can see that TikTok does indeed ask for an above average amount of permissions from the user, including permissions in all four types. Of note, this behavior is not limited to TikTok as Bytedance applications in general outpace the average across all other categories. While this appears to be as expected so far, take a look at the chart below.

In our sample set TikTok was actually third in the list of applications with the most permission requests. Even in the short list of the most popular apps in the market, there are a number of apps which either beat or come very close to the level of access that TikTok has. Beyond this sample set, there are many more.

Now we can pose the question asked in the title of this series for the first time, is banning TikTok the right approach or are we ignoring the real problem?

Thanks for sticking around for the first part in this series where we look into TikTok and the larger problems in the mobile app landscape. In future versions of this series we will be looking at the security risks in TikTok and other popular apps, the connections to bad actors made by TikTok and other popular apps, the alarming number of apps not named TikTok that include code from Bytedance, and more.  If you want to be alerted when the series continues please sign up here.