The Case To Ban TikTok In 2020

Sage Knows IT: The Case to Ban TikTok

If I had to be honest with myself, I would tell you today that I would never have imagined doing a post about this.  Not in a million years.  For one, this isn’t a platform that I’m entirely interested in for the exception of when my kids pull me in to see what they have done, but two, this situation stinks of political retribution wrapped under the guise of national security.  I will preface this post with a quick disclaimer that my blog is not intended to be a political statement but only an observation from a IT Security perspective.

So What’s The Fuss About TikTok?

In recent weeks, reports from the IT Security Community have surfaced that a popular short-form video app, called TikTok may be collecting excessive and potentially unusual user data.  A user by the name of bangorlol posted on Reddit their findings which included the history of apps installed and uninstalled on a user’s phone, GPS data, determination of device being rooted or jail-broken and possibly most disturbing is the discovery that the app has the ability to turn the device into a proxy server, zip (or compressing) files and sending that unknown data to an unknown source. Post by Security Researcher, bangorlol

I’m not gonna lie, but that seems like overreaching for a social media app predominantly catering to children.  Why any app would need to set up a device as a proxy server is beyond me and reeks (in my opinion) of malware.  For those that do not know, a proxy server is like a separate computer (or node) that is designed to mask computer connections of those who send traffic to it.  

Think of a classroom of kids sending pen pal letters to a nursing home.  Each kid represents a computer (or node), the letter is the connection request with the message and the package with all the letters is the proxy server.  The package shields the kids from showing their home address by only utilizing the school’s address with the attention of the teacher.  When the elderly respond back, they send it to the school (the proxy), protecting the confidentiality of the student.

The problem with this approach is that it can be used for nefarious purposes as well.  With the connection open on the device, a user could simply send a malicious message or command to the phone in the background, unbeknownst to the user.  It could secretly be uploading photos, sending location details, redirecting GPS users from one location to another and more.  With an (US) election year coming, I could see the concerns and potential weaponization of this popular app.

How Was This Discovered and Was It Legal?  

I couldn’t tell whether this was part of a Bug Bounty program (which we will discuss later) or not but the researcher advised that they reverse engineered the application to find the data they posted.  Reverse Engineering is a method of decompiling a software to it’s source code in an effort to see how the software works or was written.  It is a valuable tool especially in malware analysis. 

As for legality, the terms and conditions (TOS)  listed on their website restricts users from “mak[ing] unauthorised copies, modify, adapt, translate, reverse engineer[ing], disassemble, decompile or create any derivative works of the Services or any content included therein, including any files, tables or documentation (or any portion thereof) or determine or attempt to determine any source code, algorithms, methods or techniques embodied by the Services.”  

In layman’s terms, it is against the TOS of the application for users.  However, as I foreshadowed in my opening comments of this section and based on the length of time the researcher suggested they worked on this, it may be possible that they reported these concerns under TikTok’s Bug Bounty Program.

Don’t Freak Out TikTok, It’s Just A Bug

When this story first broke, the first thing I wanted to know was whether or not TikTok had a Bug Bounty Program.  The public disclosure kind of felt as if this was the case, so I did some digging.  When I visited TikTok’s website, I could not immediately find any section in their footer directing to such a program nor was there any verbiage in their TOS which pointed me in the right direction.

To find whether they had a bug bounty program or not, I used an advanced search on Google with “site: bug bounty” in the search field and found something that resembled what I was looking for here.  My interpretation of their “program” is that it allows IT Researchers to submit bugs and vulnerabilities directly to the platform with the understanding that the researcher is not allowed to disclose publicly until given authority to do so or after 90 days which is customary for these types of incidents.

Under their FAQs section they have a list of vulnerabilities the researcher can report including “Exploitable, Dangerous APIs” , “Leaked or hard coded sensitive credentials” and “Using the TikTok application for privilege escalation to attack the mobile operating system” as a few examples.  This leads me to believe that the company does allow for reverse engineering for IT Security researchers providing that they abide by the TOS. Bug Bounty Program

Make no mistake, this is a good thing and shows that the company is demonstrating accountability.  Why?  Because Bug Bounty programs in general serve two purposes in my eyes.

When a company has a Bug Bounty program in place, they are telling their users and community that they will be held accountable and address any security flaws and bugs as they are found.  Furthermore they will allow the researcher to publish their findings publicly increasing not only transparency but also confidence in their user base (or in many cases, the parents).

The other is that when a vulnerability is discovered and reported to the company, this puts them on a 90 day clock to fix the issue or face public backlash that this has been persistent for more than 90 days.  This means if they don’t want to negatively impact their business or stock, they have to be serious about everything being reported.

So I guess the million dollar question is why is this code in here and why is everyone in such a big uproar.  I have my theories.

Subcontracting Anyone?

I will be the first to admit, I do not fully know the history of TikTok but from what I’ve gathered, it is owned by a company called ByteDance, Ltd based out of Shanghai, China.  Their subsidiaries including TikTok, Lark Technologies Ltd and Lemon Inc have offices across the world including in Singapore, Japan, UK and most notably due to recent events, the United States (US). Organizational Chart Organizational Chart

It is no secret that China and the United States have a complicated relationship especially when it comes to Intellectual Property.  Far beyond the scope of this post (or interest) but the fact that the app is owned by a Chinese company, targets kids and secretly collects data in a fashion that would make Six Degrees of Kevin Bacon blush, is not a good look.

Given the public statements provided by the executives of the company and the fact that they have a bug bounty program in place, my gut is telling me that either they developed the app in-house and forgot to remove their tools or they outsourced the development to a 3rd party and may have not done their due diligence to ensure that the code was free of any backdoors or sketchy code.  

Although it does not relieve them of their responsibility if the latter is true, it would go a long way to their credibility and assurance that this was not intentional.  It could also pose more rabbit hole questions, so it is unlikely we will get an answer as to why it was truly there to begin with.

The Political Landscape

In retrospect, the crazy thing about this whole situation is that things didn’t really catch fire in the United States until the users of TikTok decided to get active in their political beliefs and stage a massive protest against the current sitting President by sabotaging one of his rallies in Tulsa, Oklahoma.  

As I stated earlier, this researcher posted their findings roughly three months ago with some refinements in between.  It had already been public knowledge that some other countries in Asia had taken action for similar security reasons but this was not on the agenda of the US government, at least not publicly until after June 20th, 2020.  

Now by all means, I’m not saying that this is not a matter of national security.  Perhaps it is legitimate, but it’s very hard to rule out that this is not an act of  political retribution, especially when the President is levying terms about TikTok paying direct payments to the Treasury department as a part of potential acquisition terms to an American company, Microsoft.

Only time will tell.

Lessons Learned

Again without a dog in this fight per se, I do not believe TikTok to be the monster they are being portrayed as.  I would agree, the discovery of what the app has been doing is unsettling and I hope the company not only owns the situation but is committed to implementing change.  In security, we have a saying that you should only have access to the necessary information to get the job done and nothing more.

My other hope is that this spotlight will give TikTok and Bytedance an opportunity to reevaluate their platform as a whole as there are many questionable users and their content which seemingly preys on the youthful in a creepy manner.  As parents, we should be concerned about that but as a company, they really need to look into that further. Perhaps a future blog post?

Oh, and before I go. If you are a content creator on TikTok and are wondering what you should do in the event that the platform ban happens, I would recommend that you see my previous blog post about having a Business Continuity Plan in place as I feel you would find some value in it.

Take care.

To support this blog, this post may contain affiliate links. Please read our Privacy Policy for more information.
Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

Title Image: AI Security Realities: Rethinking PII as the Sole Indicator

AI Security Realities: Rethinking PII as the Sole Risk Indicator

During a client meeting, I addressed misconceptions about cybersecurity, especially the notion that absence of PII equates to no risk. I discussed how cyber threats extend beyond data theft to include system vulnerabilities that could disrupt operations and impact users, citing the SolarWinds and New York Times attacks as examples. I explained that comprehensive assessments are crucial for understanding broader cybersecurity risks, not just those involving PII. Additionally, I highlighted the importance of protecting AI models from poisoning, underscoring the need for robust security measures in AI development.

10 Ways to Improve Your Math Skills for Cybersecurity

10 Ways to Improve Your Math Skills for Cybersecurity

As highlighted in our earlier discussion, The Intersection of Math and Cybersecurity, a solid grasp of mathematics is indispensable within the realm of cybersecurity. The specific demands…

The Intersection of Math and Cybersecurity - Does Cybersecurity Require Math?

The Intersection of Math and Cybersecurity

During my weekend exploration of a renowned Q&A platform, I unexpectedly encountered a question that left me intrigued. I couldn’t help but wonder if the original poster (OP) was playfully jesting or sincerely seeking knowledge. This curious moment brought forth a reminiscent smile as I recalled the age-old adage we all encountered during our early school years: “Math is fundamental to all endeavors.” However, an interesting twist emerged: Does this axiom extend its influence into the intricate realm of Cybersecurity?

Exploring the Apple MacBook Air M2: Performance, Display, and Real User Insights

The Apple MacBook Air 15.3-inch (M2 Chip) has burst onto the scene as a true gem in Apple’s collection, boasting an enticing fusion of chic aesthetics, robust performance, and impressive features. With its expansive Liquid Retina display, potent M2 chip, and a host of standout attributes, this laptop demands attention

Client Confidence Crisis: How Neglecting Security Practices Can Drive Customers Away

In today’s digital landscape, establishing an Information Systems Security Program (ISSP) is no longer optional but a crucial necessity for organizations. This blog post explores the vital importance of implementing an ISSP early on and understanding the factors that influence its establishment and modification. Senior management’s role in championing ISSPs is emphasized, as their buy-in and recognition of its significance set the tone for organizational security practices.

However, misconceptions and flawed reasoning often hinder the adoption of robust security measures. From the belief that “it will never happen to us” to relying solely on insurance coverage, these notions can prove detrimental to an organization’s security posture. Furthermore, assumptions that clients don’t care about security or that the cloud provides ultimate protection are debunked, shedding light on the evolving expectations and regulations surrounding data protection.

The ugly truth emerges as we delve into the constant threat of internet vulnerability scans and the risks organizations face when vulnerabilities are discovered. This post aims to dismantle these flawed mindsets, highlighting the need for a comprehensive security approach beyond insurance coverage and the importance of addressing vulnerabilities proactively.

Stay tuned for the upcoming parts of this conversation, where we will explore additional influential factors and provide insights into developing effective ISSPs. Together, let’s navigate the complex world of system security and ensure the protection of your organization’s invaluable assets.

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.