Skip to main content

TikTok’s Rise in Popularity and the Security Risks That Could Lead to Nationwide Bans

TikTok’s Rise in Popularity and the Security Risks That Could Lead to Nationwide Bans

Ryan Johnson | April 11, 2023

Ryan Johnson

April 11, 2023

Remember when Tik Tok was mostly associated with Kesha? A different TikTok has emerged, and it is currently #2 in the top free and top grossing app charts on Google Play in the United States, as of April 7, 2023. Similarly, TikTok lists at #5 in the top free app chart for iPhone on Apple’s App Store. Considering only Google Play alone, the TikTok app has more than a billion downloads. This recent iteration of TikTok is a mobile app developed by a company named ByteDance that is headquartered in Beijing. TikTok has perennially been in the national news and has been appearing with increasing frequency over the past few years. While its rapid rise in popularity has been astonishing, it is not without its critics. The situation is also unfolding in a context of mutually declining levels of trust between the United States and China. I will cover some of the contours of the arguments that people have been making regarding the risks of using TikTok.

App Permissions

Mobile apps rely on a permission model that hinges on the user’s correct understanding of what an app can do once it is granted a permission. Each permission a user grants to an app provides some corresponding capability on the device, such as reading the user’s contact list. As with any mobile app that you install, you should be cognizant of the permissions that you grant to an app. To make the mapping of permissions to capabilities more clear, here are some resources that explain Android permissions. Here are some resources that cover iOS permissions. In addition to user security awareness, both Android and Apple have been increasing security with the release of each major system update.

Users sacrificing their privacy for monetarily-free functionality is not new as many mobile apps rely primarily on advertising revenue. There is limited transparency for users with respect to what an app actually does with the user data that it accesses. Does the user data stay local to the device or is it sent over the network? Who is the data shared with and for what purposes? Is the data potentially exposed to local/remote actors due to the app not adhering to best security practices? Google provides the “Data Safety” section for apps in Google Play that gives a partial answer to these questions by having the app developer self-report their justification for permission usage and their handling of user data. Apple provides the “App Privacy” section that details the user data that each app collects. Apps can also provide their own privacy policy which allows them to list what user data they collect and how they handle it in their own words. I suggest that the reader at least examine the “Information You Provide” section in TikTok’s privacy policy for their own awareness.

Focusing on the TikTok Android app, the current version, 28.9.4, requests 59 different permissions. Of these 59 permissions, 25 are standard Android Framework permissions (e.g., “android.permission.READ_CONTACTS”), 6 are its own custom permissions (e.g., “com.zhiliaoapp.musically.permission.READ_ACCOUNT”), and the remaining 28 permissions are used to integrate with vendor devices (e.g., “com.samsung.android.mapsagent.permission.READ_APP_INFO”) and external libraries (e.g., “com.amazon.device.messaging.permission.RECEIVE”). Users have some control over these permissions, as the more significant permissions require that the user grant them to the app, while the less concerning permissions are automatically granted to the app upon installation. Even if a user has previously granted a permission to the app, the user can manually revoke permissions from an app at any point. Now is a good time to review your apps’ permissions to exercise proper security hygiene.

Risks

Some people have argued that despite the addictive user experience, TikTok could be used for information gathering and manipulation of content for ideological purposes. With regard to data gathering, mobile apps are generally circumscribed by the permissions that they request. While mobile apps are “sandboxed” to limit their interaction with other apps and the system itself, there are still permissible communication channels between apps on mobile devices. This inter-app communication may appear completely normal, but it can provide opportunities for an app to exploit local vulnerabilities, such as missing access control checks, contained within other apps co-located on the device to illicitly escalate its privileges. Mobile apps are not completely isolated and operate within a context consisting of the interactions between the device’s pre-loaded software, third-party software, and both local and remote entities.

The general threat of popular mobile apps exploiting vulnerabilities became less theoretical last week when an Android app belonging to Pinduoduo was alleged to be malicious by multiple security researchers. Google cautiously removed the Pinduoduo app from Google Play, although the version of Pinduoduo on Google Play was not found to be malicious. To put this in perspective, Pinduoduo is listed on the Nasdaq stock exchange with the stock symbol of PDD and has a market capitalization of 91 Billion USD, as of April 7, 2023. According to various security experts, Pinduoduo’s Android app had the ability to exploit almost 50 vulnerabilities, where some were in the Android Open Source Project (AOSP), Google’s core Android code, and others were in Android vendor code.

Due to the complexity of modern mobile software, developers can make mistakes that manifest as exploitable vulnerabilities. The attack surface of a device’s pre-loaded software can make it difficult to concretely determine the extent of an app’s capabilities as this depends on the app’s exact environment which can vary. Even if an app requests no permissions, it may exploit vulnerabilities in software co-located on the device to have them perform actions on its behalf. Analyzing pre-loaded mobile software is one of Quokka’s core competencies. The Android ecosystem is rich with a diversity of Android vendors where each has their own customizations and modifications.

Whether or not content on TikTok is either intentionally promoted or inhibited in pursuit of an ideological agenda has not been proven with any concrete evidence. This is a theoretical risk although election interference is fresh in the minds of some Americans. TikTok has offered additional transparency into their algorithms in an attempt to allay the fears of US lawmakers. Recently, the CEO of TikTok testified in front of the US Congress. It is too soon to gauge how this meeting will materially impact the outcome of the fate of TikTok within the US.

Potential Ban

US Senators introduced the Restrict Act in March 2023, that would provide the US government with additional powers to ban foreign technologies. If the US government collectively decides to proceed with a blanket ban on TikTok, then careful and deliberate action should be taken with regards to its implementation. Various national governments have taken the step of banning the TikTok mobile app from government devices, including the US. Notably, India has taken the step of a complete nationwide ban of TikTok, in addition to 58 other Chinese apps. The step of a nationwide ban of a mobile app is without precedent in the United States, although the US has banned products and services from Huawei and ZTE in the past, citing national security risks. If the TikTok ban route is ultimately chosen, then they should thoroughly review the experiences of other countries that have done so to help inform them about how best to proceed.

There may be backlash against an outright ban of TikTok in the US. It will almost certainly be unpopular amongst the nation’s youth who are very accustomed to using the app. Moreover, TikTok has 150 million in the US, according to TikTok itself. Google and Apple may be forced to remove the app from their respective marketplaces. If these two companies take the step of remotely uninstalling the app from user devices, this could result in users trying to circumvent the ban and finding alternative means to access TikTok beyond simply using a VPN.

Some users may try to “sideload” TikTok onto their mobile device, which involves installing an app outside of an official app marketplace. This is much greater sideloading risk on Android devices than iOS devices, as iOS has non-trivial restrictions that must be circumvented in order to sideload apps. Malicious actors may readily supply malware apps claiming to be the authentic TikTok app to fill the void. This weakens a device’s overall security posture by installing apps outside of an official app store as they may have not explicitly undergone a security vetting process. This risk is compounded when it is performed by users who do not have a thorough understanding of security.

Conclusion

It is currently unclear how the situation unfolds from here, and it seems unproductive to speculate on what will occur next. It is possible that a compromise solution is reached between the US and TikTok or there is an outright ban of the app within the US. TikTok seems like it will continue to be in your newsfeed.

Leave a Reply

Close Menu