Is TikTok a Hacker’s Dream?

Viral videos, dance challenges, and...cybercrime?

More than just dancing teens and lip-syncing, persistent security concerns about social media apps mean that companies may need to take stronger positions on the use of platforms like TikTok on their company-wide cell phones. In the age of cybercrime, corporate cell phone policies are increasingly important for dealing with a potential vulnerability in cybersecurity.

Since launching in 2017, TikTok has grown incredibly fast to become one of the most popular social media apps in the world. With over 2 billion downloads, it has captured an incredible portion of the social media market and is essentially the go-to platform of the moment. 

It is still growing, with expansion planned in countries around the world, including Canada. Canadian users are already on board, and interest continues to grow. At the end of last year, it was ranked second in downloads on Apple's Canadian App Store, above both Netflix and Amazon Prime Video. 

It is particularly popular with zoomers, as well as with younger millennials getting in on the act, but its reach is comprehensive with users of all ages and demographics. 

TikTok is, at its heart, a video-sharing platform not unlike the now-defunct Vine. It is all about viral memes, lip-synced videos, and dance crazes, but it goes much, much further than that, with ‘TikTok Teens’ and ‘K-Pop Stans’ reportedly at the heart of coordinating protests against Donald Trump in the US.

On the face of it, TikTok is harmless fun, a break from the arguments and debates of Twitter and the picture-perfect world of Instagram. But is there a more sinister side to this social media platform? Do organizations need to look more closely at the cybersecurity ramifications and vulnerabilities that the app exposes, and do corporations actually need to ban TikTok from their company cell phones? 

In June this year, a former US military hacker calling themselves ‘Jester Actual’ shared an article exploring the specific risks to Apple users that TikTok posed. As far back as April, it was discovered that apps could access the clipboard on users’ Apple devices, compromising their privacy and essentially allowing apps to spy on their customers. TikTok, among others, was caught snooping and challenged. It was put down to outdated ad software, and measures were supposedly put in place to prevent inadvertent data mining.

However, with the latest Apple iOS update, which provided a warning if third-party apps were accessing the clipboard on devices, it was discovered that this practice hadn’t been dealt with, and TikTok was still accessing information from their users. A fix and an apology were rushed out, but concerns remain given the previous lack of action. Ann Cavoukian, executive director of the Global Privacy and Security by Design Centre in Toronto, said, "I am always wary about statements [saying], 'Oh, trust us,’” and expressed skepticism about TikTok’s defence. 

Most worryingly, due to Apple’s universal clipboard functionality, anything copied on any synced Apple device can be accessed by apps on an iPhone. So if you have TikTok active on your phone while you work, everything you do on your laptop could potentially be vulnerable.

When it comes to TikTok, these vulnerabilities are compounded by the fact that the app itself is Chinese, with strong links to the Chinese government. As a result, the US military banned personnel from using the app as it represented a potential risk to national security. The US government has threatened a full ban on the app due to security concerns, and an Israeli cybersecurity firm has discovered a variety of backdoors, vulnerabilities, and security issues. TikTok, along with around 60 other Chinese mobile apps, has been completely banned by the Indian government.

It is not just the Apple clipboard issue, either. It has been described as ‘fundamentally parasitic’ and ‘always listening’ by the CEO of Reddit, Steve Huffman, and cybersecurity experts of all stripes have written warnings about its ability to access data. 

So there are clearly issues with TikTok, and other social media apps, with significant concerns around how much data they have access to and what they might be doing with it. But what does this mean for businesses? Do companies need to crack down on the use of social media platforms by employees?

Mobile devices are one of the most vulnerable entry points into an organization’s security system, and companies should always be paying attention to potential risks relating to any devices their employees use in a work context. Easily exploited and quickly compromised, more attention needs to be paid to corporate mobile devices, even without the added concerns raised by social media platforms.

Most mobile devices used in a work context, whether company-issued or personal, end up being used for both professional and personal reasons. As a result, there is a blurring of the lines over what is considered acceptable behavior when it comes to phone use, and the more robust security measures that are vital for businesses can sometimes be overlooked.

As a result, having solid, detailed security policies in place for mobile devices, whether company phones or bring your own devices (BYOD), is an essential part of managing and maintaining strong cybersecurity protections. Installing business software on BYODs is often a technique organizations use to save money, but the lack of control does mean that this is a riskier option than business-owned phones. BYODs should be restricted, with limited access to sensitive resources, and only while using VPNs.

For both company phones and BYODs, there are a bunch of best practices that need to be rigorously enforced in order to maintain security, including installing regular updates, securing the device, encryption, backups, avoiding public wifi networks, and immediate reporting if the device is lost or stolen. But given the security concerns raised about third-party apps like TikTok, should a mobile device security policy include a restriction on what social media platforms can be downloaded on devices used in a professional context?

Government agencies in the US certainly think so. The US Army banned the use of TikTok on work phones earlier in the year, as they considered the app a cyber threat. The concern here is that the level of data gathering that is theoretically possible with the app, combined with the possibility that the Chinese government could require TikTok to hand over information, could present a national security threat. The Transportation Security Administration and Homeland Security have followed suit, and the US Senate is currently considering a bill that would ban the app on all devices used by federal employees. 

More recently, President Trump called for a full ban on TikTok downloads in the US, with a two-week deadline to address the security concerns surrounding the app. The parent company, ByteDance, has since reached an agreement with Oracle and Walmart to sell a significant stake in the US arm of the company, which will assuage some of the national security concerns.

Oracle will take a 12.5% stake in the Chinese firm, while Walmart will take a further 7.5%, adding up to a 20% sale which will cover TikTok’s US operations. In total, the companies will pay $ 12 billion for 20% of the company, currently valued at $ 60 billion overall. ByteDance will keep its 80% stake in the new company and may well have control over tech development, as well as the app’s base code. 

Although the download ban appears to have been reprieved at the 11th hour, misgivings remain. Given the increased and persistent security concerns about TikTok in particular and social media apps in general, it does seem that businesses should at least consider taking steps to mitigate this potential vulnerability in their cybersecurity systems. 

In this age of increasingly subtle and complex cybercrime, creating robust, comprehensive policies to deal with cell phone use in a work environment is a vital element of good cybersecurity. Raising awareness about the potential threats that third-party applications can pose is a good first step, and companies may well wish to take stricter measures and ban TikTok and other apps, depending on their situation.