If I had to be honest with myself, I would tell you today that I would never have imagined doing a post about this. Not in a million years. For one, this isn’t a platform that I’m entirely interested in for the exception of when my kids pull me in to see what they have done, but two, this situation stinks of political retribution wrapped under the guise of national security. I will preface this post with a quick disclaimer that my blog is not intended to be a political statement but only an observation from a IT Security perspective.
So What’s The Fuss About TikTok?
In recent weeks, reports from the IT Security Community have surfaced that a popular short-form video app, called TikTok may be collecting excessive and potentially unusual user data. A user by the name of bangorlol posted on Reddit their findings which included the history of apps installed and uninstalled on a user’s phone, GPS data, determination of device being rooted or jail-broken and possibly most disturbing is the discovery that the app has the ability to turn the device into a proxy server, zip (or compressing) files and sending that unknown data to an unknown source.
I’m not gonna lie, but that seems like overreaching for a social media app predominantly catering to children. Why any app would need to set up a device as a proxy server is beyond me and reeks (in my opinion) of malware. For those that do not know, a proxy server is like a separate computer (or node) that is designed to mask computer connections of those who send traffic to it.
Think of a classroom of kids sending pen pal letters to a nursing home. Each kid represents a computer (or node), the letter is the connection request with the message and the package with all the letters is the proxy server. The package shields the kids from showing their home address by only utilizing the school’s address with the attention of the teacher. When the elderly respond back, they send it to the school (the proxy), protecting the confidentiality of the student.
The problem with this approach is that it can be used for nefarious purposes as well. With the connection open on the device, a user could simply send a malicious message or command to the phone in the background, unbeknownst to the user. It could secretly be uploading photos, sending location details, redirecting GPS users from one location to another and more. With an (US) election year coming, I could see the concerns and potential weaponization of this popular app.
How Was This Discovered and Was It Legal?
I couldn’t tell whether this was part of a Bug Bounty program (which we will discuss later) or not but the researcher advised that they reverse engineered the application to find the data they posted. Reverse Engineering is a method of decompiling a software to it’s source code in an effort to see how the software works or was written. It is a valuable tool especially in malware analysis.
As for legality, the terms and conditions (TOS) listed on their website restricts users from “mak[ing] unauthorised copies, modify, adapt, translate, reverse engineer[ing], disassemble, decompile or create any derivative works of the Services or any content included therein, including any files, tables or documentation (or any portion thereof) or determine or attempt to determine any source code, algorithms, methods or techniques embodied by the Services.”
In layman’s terms, it is against the TOS of the application for users. However, as I foreshadowed in my opening comments of this section and based on the length of time the researcher suggested they worked on this, it may be possible that they reported these concerns under TikTok’s Bug Bounty Program.
Don’t Freak Out TikTok, It’s Just A Bug
When this story first broke, the first thing I wanted to know was whether or not TikTok had a Bug Bounty Program. The public disclosure kind of felt as if this was the case, so I did some digging. When I visited TikTok’s website, I could not immediately find any section in their footer directing to such a program nor was there any verbiage in their TOS which pointed me in the right direction.
To find whether they had a bug bounty program or not, I used an advanced search on Google with “site: tiktok.com bug bounty” in the search field and found something that resembled what I was looking for here. My interpretation of their “program” is that it allows IT Researchers to submit bugs and vulnerabilities directly to the platform with the understanding that the researcher is not allowed to disclose publicly until given authority to do so or after 90 days which is customary for these types of incidents.
Under their FAQs section they have a list of vulnerabilities the researcher can report including “Exploitable, Dangerous APIs” , “Leaked or hard coded sensitive credentials” and “Using the TikTok application for privilege escalation to attack the mobile operating system” as a few examples. This leads me to believe that the company does allow for reverse engineering for IT Security researchers providing that they abide by the TOS.
Make no mistake, this is a good thing and shows that the company is demonstrating accountability. Why? Because Bug Bounty programs in general serve two purposes in my eyes.
When a company has a Bug Bounty program in place, they are telling their users and community that they will be held accountable and address any security flaws and bugs as they are found. Furthermore they will allow the researcher to publish their findings publicly increasing not only transparency but also confidence in their user base (or in many cases, the parents).
The other is that when a vulnerability is discovered and reported to the company, this puts them on a 90 day clock to fix the issue or face public backlash that this has been persistent for more than 90 days. This means if they don’t want to negatively impact their business or stock, they have to be serious about everything being reported.
So I guess the million dollar question is why is this code in here and why is everyone in such a big uproar. I have my theories.
I will be the first to admit, I do not fully know the history of TikTok but from what I’ve gathered, it is owned by a company called ByteDance, Ltd based out of Shanghai, China. Their subsidiaries including TikTok, Lark Technologies Ltd and Lemon Inc have offices across the world including in Singapore, Japan, UK and most notably due to recent events, the United States (US).
It is no secret that China and the United States have a complicated relationship especially when it comes to Intellectual Property. Far beyond the scope of this post (or interest) but the fact that the app is owned by a Chinese company, targets kids and secretly collects data in a fashion that would make Six Degrees of Kevin Bacon blush, is not a good look.
Given the public statements provided by the executives of the company and the fact that they have a bug bounty program in place, my gut is telling me that either they developed the app in-house and forgot to remove their tools or they outsourced the development to a 3rd party and may have not done their due diligence to ensure that the code was free of any backdoors or sketchy code.
Although it does not relieve them of their responsibility if the latter is true, it would go a long way to their credibility and assurance that this was not intentional. It could also pose more rabbit hole questions, so it is unlikely we will get an answer as to why it was truly there to begin with.
The Political Landscape
In retrospect, the crazy thing about this whole situation is that things didn’t really catch fire in the United States until the users of TikTok decided to get active in their political beliefs and stage a massive protest against the current sitting President by sabotaging one of his rallies in Tulsa, Oklahoma.
As I stated earlier, this researcher posted their findings roughly three months ago with some refinements in between. It had already been public knowledge that some other countries in Asia had taken action for similar security reasons but this was not on the agenda of the US government, at least not publicly until after June 20th, 2020.
Now by all means, I’m not saying that this is not a matter of national security. Perhaps it is legitimate, but it’s very hard to rule out that this is not an act of political retribution, especially when the President is levying terms about TikTok paying direct payments to the Treasury department as a part of potential acquisition terms to an American company, Microsoft.
Only time will tell.
Again without a dog in this fight per se, I do not believe TikTok to be the monster they are being portrayed as. I would agree, the discovery of what the app has been doing is unsettling and I hope the company not only owns the situation but is committed to implementing change. In security, we have a saying that you should only have access to the necessary information to get the job done and nothing more.
My other hope is that this spotlight will give TikTok and Bytedance an opportunity to reevaluate their platform as a whole as there are many questionable users and their content which seemingly preys on the youthful in a creepy manner. As parents, we should be concerned about that but as a company, they really need to look into that further. Perhaps a future blog post?
Oh, and before I go. If you are a content creator on TikTok and are wondering what you should do in the event that the platform ban happens, I would recommend that you see my previous blog post about having a Business Continuity Plan in place as I feel you would find some value in it.