In the last year or so, it seems that the TikTok app has been everywhere. Popular with teens, celebrities, and influencers, it helps users create and upload short form videos (up to 15 seconds or in sequence of four 15 second videos for 60 seconds), on any topic. It has become famous for its ‘challenges,’ dance videos, lip-syncing, and duets – where you can film yourself copying another performer side by side. Fun, whimsical, and addictive, it is easy to understand how this app was the 2nd most popular free app download in 2019 (taken from the combined downloads from Google Play and the Apple app store).[1] Thanks to its unique algorithm, it also has a higher social media engagement rate per post when compared to Twitter and Instagram, making it a must for celebrities, companies, and social media stars to grow their brands.[2] However, alongside its addictive glitziness, TikTok has also been the subject of several concerns about data privacy and security. This has led to it being banned in India, and its use disallowed for US and Australian military and government personnel. In the private sector, Amazon shifted its policy on its employee ban of TikTok, while banking giant Wells Fargo instructed its employees to remove the app from its devices.
Short Background on Tik Tok
TikTok first appeared in 2017, a year after its sister-app, Douyin, was launched in China. The company responsible for both, Bytedance, based in Beijing, intended TikTok to be marketed at countries outside China. However, it did not become available for download in the US until 2018 when Bytedance acquired a 4-year old company called “Musical.ly,” a social media lip-syncing app that was growing rapidly among teens in the United States.
At the time of the acquisition, Musical.ly had raised $150 million USD from many top Silicon Valley venture capital firms, as the app had over 200 million users.[3] Founded by longtime friends Alex Zhu and Luyu Yang, the startup was based in Beijing with an overseas presence in Santa Monica, California when it was acquired by the Toutiao, the machine learning personal recommendation platform, whose parent company is Bytedance.[4] The idea of Muscial.ly came to Zhu while riding the CalTrain from San Francisco to Mountain View when he observed some young teens snapping photos decorated by emojis while listening to music.[5]
Although TikTok and Douyin are separate entities and are run on different servers to comply with Chinese censorship laws, the fact that TikTok is owned by a Chinese company has initiated concerns among authorities and security professionals in many countries. There have also been allegations that the company has cooperated with the Chinese government in matters of censorship on the platform.[6]
TikTok’s parent company ByteDance, is headquartered in Beijing and founded by entrepreneur Zhang Yiming. The private company last reported $17 billion in revenue in 2019. It is one of the most valuable companies in the world with various estimates valuing this massive unicorn to be worth anywhere from $75 to $180 billion dollars. The company has raised venture backing from companies like Softbank, KKR and Sequoia. [7]
Data Harvesting at Scale & A Few Words of Caution
Of course, the average user probably has more interest in the next celebrity stunt video than international politics or cybersecurity. Should the everyday user give thought to whether TikTok has been collecting and storing masses of data about all of its users? Considering many of its users are teens, (possibly your son or daughter or grandchildren) we believe it is important that as adults we should maintain a healthy degree of debate and awareness surrounding this fast growing app. Some might shrug and say that data collection is nothing new for social media platforms. It should come as no surprise, however, from the initial acquisition of Musical.ly by Toutiao (Beijing Bytedance Technology operates the news aggregator) the AI-built engine analyzes user created content at scale. There’s nothing wrong with some good engineering and machine learning at scale. As a side bar, it’s also a great entrepreneurial story of two young guys whose journey from China to the San Francisco Bay Area through various iterations and pivots landed a 1 billion dollar exit.
In respect to data aggregation and leveraging user generated content, this seams fairly standard with most social media applications that take user inputs to generate precise recommendations on user preferences leveraging machine learning techniques that might include facial recognition as data points. All of them, including Facebook, Twitter, Linkedin, Instagram, and Snapchat, collect personal data and analytics. There are also hundreds of sites from companies that operate data brokerage services to companies such as Clearview AI that scrap the public web in building a massive database of billions of photos. Data, as it’s often remarked, is the new oil. Here’s the rub: There’s always more than what meets the eye, both good and bad. While we will not do justice in evaluating the merits of any of these apps, the point of this piece is to bring into awareness what is publicly known in the English-language press. I’m sure it will be bias as our team is not readily reviewing the Chinese-language press. Information is constantly updated and journalists and security researchers the world over, I’m sure, will continue to bring to our attention new developments as they arise. The same goes with Tik Tok. The fog of politics, the geo-political kind, might complicate this story, but we hope this article is a fair evaluation attempting, at the very minimum, to bring some degree of conscious awareness to this fluid situation.
A User on Reddit named Bangorlol
Two months ago a user on Reddit who goes by the name of Bangorlol posted a thread. During a conversation about TikTok, he claimed to have reverse-engineered the app and then proceeded to share what he found. He listed the sort of information that is collected from every user of TikTok:
- ‘Phone hardware (CPU type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc.)’
- ‘Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)’
- ‘Everything network-related (IP, local IP, router mac, your mac, wifi access point name)’
- ‘Whether or not you’re rooted/jailbroken.’
- ‘Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC.’
- ‘They set up a local proxy server on your device for ‘transcoding media,’ but that can be abused very easily as it has zero authentication.’[8]
He also said that the most concerning thing for him was that the majority of the logging could be remotely configured. The app also contained several protections and obstacles to prevent people from either reversing or debugging the code. It was only because his work involved ‘reversing mobile applications, analyzing how they work, and building third-party functionality around them,’ that he was able to find out what the app was up to, although he admitted that the process was both ‘complicated and annoying.’[9]
In addition, Bangorlol discovered that the Android version of TikTok contained some snippets of code that could facilitate the downloading and execution of a remote zip file – a sinister addition unrelated to the functionality of the app.
Illegal Collection of Children’s Data
Children are supposed to be thirteen before they can use TikTok, but undoubtedly younger children have access to it as well. This has raised grave questions about the app’s collection of data from these minors – as well as where it is going to. In 2019, it was fined $5.7 million by US authorities for illegally collecting personal information from children. Similar action is now being examined in Europe, with a task force set up by the European Data Protection Board (EDPB) to see whether TikTok has transgressed the General Data Protection Regulation (GDPR) by transferring the data of minors to countries outside of the EU.[10]
Parents have also been concerned that some of the content on the app, such as song lyrics and videos containing suggestive content that is inappropriate for children – even those over the age of thirteen. Answering those concerns, TikTok stated that a separate app for younger users would be available and that it would address both content and privacy concerns. However, at the moment, this only seems to be accessible in the US. Despite these attempts to mollify authorities, in May, another complaint was made against TikTok by 20 child advocacy and consumer organizations, that the company was still in violation of the US Federal law known as the Children’s Online Privacy Protection Act (COPPA). The complaint alleges that TikTok has still not destroyed videos of minors dating to before the $5.7 million fine, as the company had promised to do. Another accusation asserts that TikTok ‘incentivizes’ young users to give a false age so as to access the over-13 app instead of the younger users’ version. A decision on this matter is still pending as of this post.
TikTok has said that it is happy to cooperate with the EDPB and has commenced several steps to improve its public relations, including hiring the well-respected cybersecurity expert, Roland Cloutier. It has also insisted that all of the data it collects from countries outside China is stored in the US and that the Chinese government has no access to it.
Furthermore, in the past year, to address these rising concerns and mounting pressure from Congress and requests for review of the Musical.ly acquisition under the auspices of CFIUS (The Committee on Foreign Investment in the United States), ByteDance hired Special Counsel, an E-Discovery and legal services firm to analyze the company’s data collection practice during the summer of 2019. Douglas Brush, who at the time was the VP of Cybersecurity Solutions for Special Counsel, concluded that “data about TikTok users, including their videos, names, dates of birth and other information, was stored exclusively on computer servers in Virginia and Singapore … [and that] his team found no way TikTok could send data to China.” [11] However, in its privacy policy, last updated in January 2020, it also states that information can be shared within TikTok’s corporate group – ‘a parent, subsidiary, or other affiliate.’[12] This would include ByteDance, which, with its headquarters in Beijing, would be obliged to share information with the Chinese government if required.
Clipboard Copying
TikTok seems to have a habit of owning up to things and fixing them once they are discovered and brought to public scrutiny. In March, after Apple users updated to iOS 14, they observed a banner warning them when an app was reading the contents of their universal clipboard. Several apps were caught snooping in this manner, but the one that caught the most attention, due to its massive user base, was TikTok. It appeared to users that the app was reading the contents every three to four keystrokes, which inevitably caused a great deal of worry.
When approached by Forbes for an explanation, TikTok’s owner said that the problem had been caused by the integration of the Google Ads SDK and that it would be removed on the next update. However, despite Bytedance’s promises, TikTok users were still getting the same warnings pop up about the clipboard being accessed. This time, TikTok responded that it was caused by new anti-spam technology they were using to try to stamp out spammy messages and bots. Once again, they promised to fix it, and, as of June 27, they seem to have finally solved the issue. As for the content that had been read previously, the company insists that the compromised data never left the user’s device.[13]
Insecure Data Transfers
Unlike most other modern apps that use HTTPS to transfer data, TikTok still uses the outdated HTTP, which puts the security of users’ data at risk. It all comes down to the app’s CDN (content delivery network). This is something used by all social media apps with a large user base, but unlike the other platforms, TikTok’s CDN still chooses to use HTTP as it makes data transfer easier and quicker. The trouble with HTTP is that a third party with the right equipment can monitor the traffic flowing through it. Security researchers Tommy Mysk and Talal Haj Bakry discovered that a router placed between the TikTok app and TikTok’s CDN could easily intercept traffic, including videos, profile photos and video stills.[14]
If that isn’t bad enough, HTTP is also susceptible to a ‘man-in-the-middle’ attack. In other words, a hacker would be able to swap a genuine photo or video for something more sinister, such as offensive content or propaganda. If this was done on a celebrity or influencer profile, it could be seen by hundreds of thousands of people before being removed. Google and Apple already require most apps to use HTTPS, but there are exceptions made for backward-compatibility, and TikTok has used this as a loop-hole.[15]
Other security vulnerabilities allowing malicious hackers to abuse users’ accounts were discovered last November by security researchers Checkpoint. The first of these involved a spoofed SMS link with an invite to download the application. This link then directed the potential user to a malicious website.[16] Using Cross-Site Scripting and Cross-Site Request Forgery, the researchers found it was also possible to send requests on behalf of the user to take partial control of their account and access sensitive information. To their credit, TikTok took the findings seriously and had fixed the flaws by December.
Concerning the HTTP issue, a TikTok spokesman responded to our request asking whether they were changing their platform to HTTPS with the following:
“In recent weeks there have been a number of claims made on the Internet about TikTok’s security practices, including some claims that were made anonymously. We take these claims seriously and are in the process of conducting a full review and have determined that many of them are inaccurate or reflect analysis of older versions of the app that in some cases are years out of date
Our Chief Information Security Officer, Roland Cloutier, has published detailed accounts of some of the unsubstantiated accusations against TikTok. As part of our overall approach to security, our information security team runs a continuous process to check for security vulnerabilities and fix them. We include world-class security firms in these assessments.
TikTok is committed to respecting the privacy of our users and being transparent with our community and security experts about how our app works. We are constantly striving to stay ahead of evolving security challenges, and we encourage our users to use the latest version of TikTok so that they can enjoy the best experience possible.”
The ‘detailed accounts’ by Roland Cloutier alluded to above are part of ‘TikTok’s Security and Data Privacy Roadmap,’ which promises future security initiatives such as ‘cyber defense and user-data access assurance, digital crimes, insider threat, cyber-threat intelligence, and risk management.[17] However, there was no specific mention of a change to HTTPS within the document.
In Conclusion
With TikTok’s flaws constantly in the headlines and the ban by the Indian government, it appears that Bytedance is worried about the negative attention the app is attracting. With the appointment of Cloutier, and a promise to review its security processes and infrastructure, it does appear that the company is trying hard to improve its image. On the other hand, it is still an inescapable fact that the parent company is Chinese, and therefore, under the edict of that regime, as evidenced by several accusations of content censorship. In many ways, it is stuck between two worlds and trying to respond to both. How it will resolve this dilemma is something that will have to be seen. In the meantime, it is unlikely that TikTok’s loyal user base is going to care too much about what is happening to their data, or whether their uploads are secure, just as long as the entertainment keeps flowing and they gain more followers. No matter how you slice and dice it, it’s still the early days of this massively successful viral climb to the top of the download charts worldwide. While some have dumped the app, many active users are still clamoring to become Tik Tok famous. If the app were to be banned in the US, users will just flock to the next popular video sharing platform such as Byte (unrelated to ByteDance), who has seen record downloads in light of all this uncertainty with TikTok. Launched by Vine co-founder, it was once the most downloaded app in 2013 in the iOS App Store. Interestingly, Vine was one of the original short form video platforms offering 6 second videos where it boasted over 200 million active users. Twitter acquired the app for $30 million in 2012 and by late 2016 Vine announced it will be discontinuing the mobile app. [18]
What do you think? Is this app a ticking time bomb or a gold mine? Perhaps even both. Content creators, brands & Madison Ave are buzzing over Tik Tok’s reach while at the same time concerns mount from a security and political standpoint. For those too young or too late to have capitalized on the Youtube early days, the timing of Tik Tok has given birth to an entire new cadre of Tik Tok celebrities and influencers. And for the millions that follow entrepreneur Gary Vaynerchuck, he has been bullish on Tik Tok for years. There are content creators on the Tik Tok platform amassing millions of followers literally overnight and brands are doling out six and seven figure contracts to engage with them. Surely there is nothing wrong with creatives expressing their literary talents and getting financially rewarded. But of course, when you become the biggest player in the market in a highly political environment, your security posture (and everything else you do) will be magnified a thousand times. It’s complicated but we think a good debate about Tik Tok, or for that matter, any social media platform, and the role it plays in today’s political economy, is healthy.
——-
[1] ‘50 TikTok Stats That Will Blow Your Mind [updated 2020],’ Influencer Marketing Hub, 06/24/2020, accessed at https://influencermarketinghub.com/tiktok-stats/
[2] Ibid.
[3] Musical.ly, Apple Music Ink New Partnership, With More to Come https://www.billboard.com/articles/business/7776302/musically-apple-music-partnership
[4] Liza Lin & Rolfe Winkler, Social-Media App Musical.ly Is Acquired for as Much as $1 Billion https://www.wsj.com/articles/lip-syncing-app-musical-ly-is-acquired-for-as-much-as-1-billion-1510278123?tesla=y
[5] Paige Leskin, The life of TikTok head Alex Zhu, the Musical.ly cofounder in charge of Gen Z’s beloved video-sharing app, https://www.businessinsider.com/tiktok-head-alex-zhu-musically-china-life-bio-2019-11
[6] Anna Fifield, ‘TikTok’s Owner is Helping China’s Campaign of Repression in Xinjiang, Report Finds,’ The Washington Post, 11/28/2019, accessed a from the web archive at https://web.archive.org/web/20191128183415/https://www.washingtonpost.com/world/tiktoks-owner-is-helping-chinas-campaign-of-repression-in-xinjiang-report-finds/2019/11/28/98e8d9e4-119f-11ea-bf62-eadd5d11f559_story.html
[7] Sam Shead, TikTok owner ByteDance reportedly made a profit of $3 billion on $17 billion of revenue last year, https://www.cnbc.com/2020/05/27/tiktok-bytedance-profit.html#:~:text=Founded%20in%202012%20by%20entrepreneur,start%2Dup%20in%20the%20world.
[8] Rokas Laurinavičius and Ilona Baliūnaitė, ‘Guy Who Reverse-Engineered TikTok Reveals the Scary Things He Learned, Advises People to Stay Away From It,’ Boredpanda, 06/26/2020, accessed at https://www.boredpanda.com/tik-tok-reverse-engineered-data-information-collecting/?utm_source=lnkd&utm_medium=referral&utm_campaign=organic
[9] Ibid.
[10] Guan Cong and Denise Jia, ‘EU to Probe TikTok’s Data Processing and Privacy Policies,’ Nikkei Asian Review, 06/12/2020, accessed at https://asia.nikkei.com/Spotlight/Caixin/EU-to-probe-TikTok-s-data-processing-and-privacy-practices
[11] Debra Kaufman, US Investigates TikTok App Based on Security Concerns https://www.etcentric.org/u-s-investigates-tiktok-app-based-on-security-concerns/
[12] Privacy Policy (How we share your information), TikTok, 01/01/2020, accessed at https://www.tiktok.com/legal/privacy-policy?lang=en
[13] Ibid.
[14] Talal Haj Bakry and Tommy Mysk, ‘TikTok Vulnerability Enables Hackers to Show Users Fake Videos,’ Mysk Blog, 04/13/2020, accessed at https://www.mysk.blog/2020/04/13/tiktok-vulnerability-enables-hackers-to-show-users-fake-videos/
[15] Ibid.
[16] Lindsey O’Donnell, ‘TikTok Riddled With Security Flaws,’ Threatpost, 01/08/2020, accessed at https://threatpost.com/tiktok-riddled-with-security-flaws/151616/
[17] https://newsroom.tiktok.com/en-us/updates-on-our-security-roadmap
[18] Vine is now the number one free app in the US App Store, https://www.theverge.com/2013/4/9/4204396/vine-number-one-us-app-store-free-apps-chart; Why Vine Died: https://www.theverge.com/2016/10/28/13456208/why-vine-died-twitter-shutdown
SAYA University is the multi-lingual “netflix of cybersecurity” that produces original e-learning programming in a variety of languages. Saya University is on a global mission to ensure every employee in the world has access to the tools that will heighten cybersecurity knowledge. When a company is serious about protecting its organization against cyber-attacks, it will invest in cybersecurity learning for all its employees. With over 7 billion people on planet earth, we have a lot of work to do. Our multi-language e-Learning platform offers the world’s most cutting edge knowledge in cybersecurity, data privacy and compliance all in one place.