TikTok and the Security of the United States

In the boom of evolving technology in the last decade, our culture has been shaped by free social media platforms that are made easily accessible with a few clicks or taps of the touch screen. However, with tech industry leaders like Google, Facebook, and Twitter all providing powerful methods of communication and outreach, users should consider how such a service is free. As these platforms have integrated into the everyday entertainment and news cycles, it has become commonly accepted that they are collecting personal data to use for things like marketing and advertising. However, now there is a new contender in the social media world that is making a record-breaking run at being the least secure and most intrusive application on the market. Welcome, TikTok.

TikTok is a social media platform where its 800 million users can upload and interact with short videos ranging from choreographed dances to quick comedy bits. It’s run and developed by the company ByteDance, headquartered in Beijing. On the platform, TikTok’s users average about 1 billion videos viewed per day.

So, from a security perspective, what makes TikTok different from other social media platforms that collect heaps of user data, like Facebook and Twitter? A Reddit user, u/bangorlol, who describes himself as “a nerd who figures out how apps work for a job,” claims to have reverse engineered the app. He prefaced his findings by describing TikTok as a “data collection service that is thinly-veiled as a social network,” and later bluntly labels TikTok as “malware.”

Right off the bat, u/bangorlol explains that the app collects most all information about the device which it has been installed just like many other social media apps. He explains that what makes TikTok different, is that the app is engineered to prevent you from finding what exactly it is collecting. He claims that the app has an encryption method for analytics requests that frequently changes, hiding any information that could hint at exactly what is being collected.

On top of the application’s attempts to mask what it’s collecting from the public, there is a slew of technical security risks that have potentially soiled its reputation. For starters, until only recently, TikTok did not use HTTPS for communication to its REST API. This security flaw places user information, like emails, full names, and encrypted passwords, at risk of exposure by a simple MITM attack.

On some Android versions of TikTok, it was discovered that there was a section of code designed to allow for a remote zip file download. The app’s shady feature could then unzip and execute the downloaded executable code files. Not only is this explicitly against the Google Play Store’s policy, it’s a feature that should never be needed by any app, let alone a social network platform.

With data collection at any level from all social media platforms, what makes TikTok stand out as the bad guy? Facebook, Twitter, Instagram, and many other popular social media platforms are US based companies that are free from government control within the law. TikTok is owned by a Chinese company which operates and must cooperate with the CCP. This issue has led to discussions from the President about banning TikTok in the US. These security risks have also resulted in government agencies and public companies, alike, banning TikTok from work devices. Amazon has even gone as far as banning TikTok from being downloaded on any device that is signed into a company email.

Let’s say you’re fine with TikTok’s security risks and the blatant data collection and handling to the CCP, are there any other compelling reasons to abandon the platform? If TikTok continues to get away with these levels of data collection as its user base exponentially grows, then it may set a dangerous precedent for other social media platforms to begin gathering data at TikTok’s level. Right now, TikTok has a leg up against other social media platforms like Facebook or Twitter. Even with the bad press that TikTok has been receiving in the last few weeks and a ban in India, the app is still growing and maintains its high active user and interaction numbers. This can carry a powerful message to rivaling social media platforms saying they can get away with more intrusive data collection and still maintain a growing number of users.

This post was written just before President Trump’s executive order (6 August 2020) to ban TikTok in 45 days unless bought by a non-Chinese company. In the week prior to writing, there have been talks that Microsoft has displayed interest in buying TikTok from the Chinese company ByteDance. Around the same time of the announcement of the executive order, competitor platform, Instagram, released Reels. Instagram Reels mimics the same functionality of TikTok with quick navigation of 15 second videos. Reels is directly accessible from the Instagram app.