Anthony DeFalloBasic Information
TikTok has become one of the most popular social media apps in use around the world, replacing its predecessor “Vine” after it was shut down in 2017*. The popular app TikTok is now being used by over 800 million users around the world* and has made many users “TikTok famous” in it’s short 3-year span of existence.
Infrastructure of TikTok
One concern that has been up for debate since the release of the app was the security of it. This cause for concern comes from the origins of the app: China. The founder of TikTok is a company by the name of ByteDance (based out of Beijing)*. The resulting information alone brings a lot of concern to many cybersecurity specialists, researchers, and governments: Where is this data being stored? What security methods are in place? Who has access to plain-text information at a given time? Are the devices TikTok is installed on vulnerable? Let’s discuss what we know about data security in foreign countries and the hypothetical methods that TikTok may use for their hosting, as well as what they have access to on our mobile devices.
TikTok is an internationally used application and utilizes Amazon Web Services and Akamai for global application and Content Delivery Networks (CDNs) to populate the app with its content worldwide. A simple lookup of the TikTok domain name results in the use of both of these platforms (resulting in US IP addresses). However, since the search was completed in the US and TikTok’s use of CDNs is clear, it is showing us their “US Presence”. When cloud infrastructure is used for applications, they likely have synchronization between the datacenter regions. Once that information leaves the United States, we lose the majority of our control. It is up to the country’s policy where each datacenter is located to determine the privacy and security measures that trump the datacenters. In the case of Chinese datacenters, a new law that was recently signed now allows the Chinese to have complete access to data stored or transmitted through the country’s network*.
Under new cryptography regulations, Chinese authorities will have full, unrestricted access to any data transmitted or stored within the country.
Datacenter Dynamics
What does this mean? Well, that means your information that you provide to TikTok at signup, as well as demographics about yourself, likes, comments, DMs, follows, and videos can be viewed, accessed, and analyzed by the Chinese government if they so desire. Another risk, and unconfirmed vulnerability, is that the app could have unrestricted access to your camera and microphone at any given time. Before we move on to the risks associated with this, let’s see what information is collected from TikTok at signup.
Registering For TikTok
First, at the registration screen, we see this screen, which asks us how we want to sign up:
Let’s say we don’t want it connected to our social media or Apple accounts, so let’s choose “Use Phone or Email” (This info is already passed over by any of the other sign-up methods).
We are next presented with a screen immediately asking for our birthday, which would also be imported or prompted for if you use another method:
Finally, we are prompted for either our Email or Phone Number to sign up. Once confirmed, our account is setup.
Risks of Information Being Exposed
Many people (including myself at one point in my life) have said “my information is already out there, why should I care if it goes to one more place?” Well, let’s say that TikTok uses this synchronization method between their datacenter regions. If they are hosting this in China (or any other country with a similar law in place), they have full reign to look at any unencrypted information that is stored on these servers OR is transmitted throughout the Chinese network. So… what are the risks?
One major hack that has become more popular recently with this information (Name, Phone Number, Birthdate, Email Address) is socially engineering cellphone providers and executing the “Sim-Swap” attack. This is done by calling your provider pretending to be you and explaining that they need to activate and replace your current SIM card in your phone to their SIM/Phone or even an emulator for phones. There is a chance that they can even just simply have a forward placed for any phone calls or text messages to forward directly to the hacker’s phone. This then defeats the once secure “2-Factor Authentication” method used by many companies to add an additional layer of security, as well as allowing password resets, for many accounts used today. Normally, cellphone carriers require more information, such as an account number, recent bill statement, PIN, or the last 4 of the account holder’s social; however, many will often fall to the pressure if the social engineer is acting impatient or is panicking.
In Wraps, What Should I Do?
As of right now, there are several unconfirmed reports, from having this app on your phone will allow your information to be leaked to even your phone being part of a large botnet that can launch a large-scale attack on any “paying” customer of the botnet.
So, what should you do? If you’re uncomfortable with TikTok having an active account for you, tap the 3 dots at the top right of your account, tap “manage my account”, and then press “Delete account” at the bottom. This will delete your active account. There is no proof that your information is then deleted, but best ethical practices are that the information WILL be removed. Delete the app after you have done all of this to ensure any other vulnerabilities within the app are deleted.
Regarding your personal information being circulated throughout China, this is something that can easily happen with Facebook, Twitter, Instagram, Amazon, Google, Apple, and many other companies (even though many have released statements that they will NOT host in these countries to prevent these privacy issues).
In closing, I personally will most likely keep my TikTok until I hear more information on the alleged vulnerabilities, as I have been involved in several data breaches over the years and have locked most of my cyber-based life down as a result. However, I will be keeping a close eye on this and update you through other posts on any new information that I find.