The Security Risks Inherent in the TikTok App
May 17, 2023
With over a billion downloads on Google Play Store alone and consistently near the top of app rankings on both Apple and Google platforms, TikTok has been under scrutiny for its privacy and security risks. This is a cause for significant concern, as the app’s large user base means any such risks could impact a massive portion of the US and global populations. In this iteration of our blog, we will focus on the security risks in the app, as well as other key takeaways that need attention. If you haven’t seen the first few blogs in this series be sure to check them out!
Part 2: Security
Today we shift our focus from the permissions to the security risks inherent in TikTok and our sample set of apps. In order to assess the risks we leveraged the analysis engines that power our Q-Scout product. These engines help us by automatically identifying risks like insecure data storage, data leakage, and exposure to network based attacks. Our tools are built on over a decade of research & development from our team. If you’re interested in learning more about how they operate and what they look for, take a look at our academic papers and presentations from BlackHat, Usenix, and other top conferences.
Judging security risk is a difficult thing, it depends on the weaknesses in the code, their likelihood to be exploitable, where the app shares the data it accesses, and what the context of the app is among other things. Our goal here is to provide a data driven approach with a neutral ground to present the data. To this end we have leveraged two of our newest analysis engines to discover the weaknesses in the apps and intentionally present the raw results without the context of geopolitical issues added. In the charts below you will see the risks found in the app’s code with a severity level of High and Medium. This severity is based on a combination of industry standards created by NIST, OWASP, NIAP, and academia. In addition to the High and Medium risks we also are looking at a wide spread set of risks identified by one of our newest engines focused on Manifest analysis, an often overlooked source of risk in the App Store. The charts contain a total of the High, Medium, and Manifest risks in each application. This represents not only the unique risks, for example usage of a weak cipher for encrypting data, but the total occurrences of each risk. Encrypting data with a weak cipher 100 times presents more risk than doing it only once or twice.
So, is TikTok more risky than your average social media app? Yes, but not by much. We can see in this first chart the comparison of TikTok’s total number of risks to our other app categories. The main standout here is that Bytedance’s other applications likely deserve more attention, they contain more risks on average than TikTok and all other categories by a large amount. But if we take a step back, is this all that surprising? TikTok gets a large amount of attention and is under pressure to protect users so it makes sense that they take care to focus on the security of the app. Meanwhile the other Bytedance apps that are sitting right next to it on the top lists in the store don’t have the pressure and the same rigor is not apparent in the results.
But this isn’t exclusive to Bytedance, when we look at this chart showing the apps with the most risks in our analysis TikTok is all the way down at #6. In order to protect users from overly permissive and risky apps it is critical to not only pay attention to what is in the news or what is known to be bad. Enterprises and end users need the ability to peek behind the curtain at the unknown risks and assess from a neutral perspective which apps are safe and unsafe to use on their devices. This capability is known as proactive protection and enables users to assess on demand the risk without bias. New trending face swap app that hit the store yesterday? Find out if it should be on your device before you read about it sharing your photos with Russia two weeks later.
Thanks for reading, if you’re interested in finding out more about how we operationalize this capability for our customers, reach out to us.
Stay tuned for the next blog in this series where we will focus on the spread of Bytedance’s code in the app store beyond the apps that they publish directly. We’ll provide you the ammo to answer the question, does banning TikTok alone really address the problem?
More blogs from our TikTok series can be found below: