Approach of TikTok platform to privacy and security

21. September 2020

With the development of information and communication technologies and their use for usual human activities, there are also growing concerns about the fundamental human right – privacy. Given the evolution of the situation, it can be said that the methods for misusing the private data are becoming more and more diverse. Payment cards of entrepreneurs can be abused for transfers of large amounts of money, allowing attackers to bypass automated bank transfer checks.

Private data can be sold to third parties (e.g. for spear-phishing and blackmailing) and information about your behaviour in cyberspace can be misused for a targeted political campaign funded by malicious actors, whose aim can also be to destabilize the democratic system. The confidentiality of information is in the spotlight also due to publicized hearing of social network representatives by the US Congress.

Apart from the most popular social networks Facebook and Twitter, the Chinese TikTok social network also became the centre of controversy, and this article explains why. It points out what information the TikTok social network collects, whether the privacy of users is preserved and respected, and above all, whether the TikTok social network respects privacy laws. Finally, a summary of recommendations for safe behaviour in the environment of social networks and when using mobile applications is presented.

TikTok as a social network

A globally available short video sharing application TikTok has become a social phenomenon in a short time (downloads in more than 150 countries and 75 language versions) [1].

The application was created in November 2017 and in August 2018 it merged with the application Musical.ly (users and content of Musical.ly became part of TikTok and one of the founders of Musical.ly – Alex Zhu became vice president of TikTok), which was operating since August 2014 [2].

TikTok is developed by and currently also owned by ByteDance company of Beijing [3], and is based on sharing of videos lasting up to 15 seconds or longer story videos up to 60 seconds. The application is very clear and easy to use for social network users.

All videos can be modified after shooting through various graphic or musical effects and filters. It is the ease of use and the popularity of this form with quickly and easily understandable content that supported the emergence of numerous extreme and often dangerous challenges (often dangerous activities that users subsequently share on the platform) [4], as well as young successful opinion leaders and influencers. Currently, TikTok is considered a good marketing tool with a high number of users.

In China, TikTok operates under the name Douyin. Servers are located in each state where TikTok is available, but the Chinese version, which covers 60% of all TikTok users [5], is separated from other servers in order to follow the Chinese Internet censorship. The application is popular mainly in the demographic group of teenagers (16 – 24 years), who make up 69% of its user base [6].

In the first quarter of 2019, TikTok was the most installed application worldwide and currently has more than 800 million active users per month. Users spend an average of 52 minutes per day on TikTok and they open the application an average of 8 times per day [7].

Cybersecurity of TikTok

One of the basic phenomena in the field of cybersecurity of social networks and applications is that the more users they have, the more attractive they become for cyber attackers. The TikTok application is no exception, and in case of detection of a cybersecurity incident or vulnerability, it is possible to report it through the form published on the application’s website in the privacy and security section. If a serious vulnerability is detected, TikTok creators also promise a reward, but without further specification [8].

As of 25 May 2020, the following vulnerabilities with the assigned CVE identifier were published and registered:

The Musical.ly vulnerability tracked as CVE-2017-13101 [9]. This vulnerability of medium severity (CVSS 7.5) in the iOS application consisted of the existence of a hard-coded key for encryption and enabled to decrypt data by anyone who gained access to this key.
The TikTok vulnerability tracked as CVE-2019-14319 [10]. This vulnerability of medium severity (CVSS 6.5) was in both applications – iOS as well as Android. The applications had unencrypted transmission of images, videos, and likes. This allowed an attacker to extract private and other sensitive information by sniffing network traffic (the vulnerability description and testing by other security researchers below (13 April 2020)).

In addition to officially registered vulnerabilities tracked as CVE, other severe security vulnerabilities were identified and published by security researchers:

In January 2020, a security company Checkpoint published a security research [11] of the TikTok application and detected a vulnerability of SMS spoofing. The vulnerability allows sending an SMS message that will be displayed on the recipient’s device as sent directly from the organization owning TikTok. The vulnerability could be used for other attacks in which the attacker needs the victim to click on the URL address, e.g. phishing campaigns.

By exploiting other more serious vulnerabilities identified in this research, the attacker could take control of a foreign TikTok account and manipulate its contents, delete videos, upload videos, post private videos, and reveal personal and other sensitive data stored on the account, e.g. a private e-mail address.

All of the abovementioned vulnerabilities and the other ones directly related to the TikTok website were reported by Checkpoint and resolved by TikTok.

In March 2020, security researchers Tommy Mysk and Talal Haj Bakry detected a suspicious activity [12] of several applications on iOS, iPadOS and macOS. The suspicious activity consisted of collecting data stored in the clipboard (control+c). The vulnerability is conditioned by a running application, which is sufficient to operate in a minimized mode and its possible abuse is alarming. This allows applications to access not only all passwords copied from security applications, but also the current location of the device being a part of the internal information of copied photos. This activity does not require permission in iOS and it is not known where the copied data will end up. After submitting the information about the suspicious activity to Apple, the company declared that it “does not see any problem in the vulnerability in question”, i.e. a suspicious functionality was not fixed.

Among applications that did this activity belong journalistic applications such as: Al Jazeera, Fox News, New York Times, Reuters, then games: Fruit Ninja, Plants vs. Zombies Heroes, PUBG Mobile and from social networks besides TikTok also Viber and Weibo.

In April 2020 security researchers Tommy Mysk and Talal Haj Bakry reported that most of the TikTok content is sent to servers via unencrypted HTTP [13]. Although this process is slightly faster than encrypted HTTPS, the analysis revealed that TikTok moves videos, profile photos and video previews over HTTP. This unencrypted data transmission allows the owners of public WIFI, Internet providers and intelligence agencies to collect this data without any problems. This also makes the application vulnerable to MITM attacks (man-in-the-middle), enabling to exchange a video or image uploaded from a popular TikTok account for a completely different video. An attacker could forge a malicious content that would give a sense of credibility to the victim.

For this attack, the attacker should have access to the router to which the user is connected. Such access is available, for example, to public WIFI operators, VPN service providers, Internet service providers, and in some countries governments as well as intelligence agencies.

The TikTok application for Android contains 39 open source libraries, for comparison with the application for iOS which contains 20 of them [14]. The analysis of the libraries revealed that all the libraries used by TikTok have security updates released. However, without a deeper and invasive analysis, it is not possible to determine which versions of these libraries the TikTok application uses or whether used libraries have security patches installed.

As with other applications, detection of a new 0-day vulnerability cannot be ruled out, and if a vulnerable library was in the application, it is still uncertain whether all the conditions for its abuse would be met.

Privacy and security of user data in China

Following the approval and implementation of the Cryptographic Law, data encryption is prohibited in China, and in the case of encryption, entrepreneurs are required to turn over encryption keys. The aim of the activity is to provide the Chinese communist government with access to all data of foreign companies doing business on the territory of China.

Such data can be afterwards shared by Chinese officials (intelligence services and the military) with state-owned companies, and thus gaining a competitive advantage over foreign companies trading in China. The provision of information was on request until the cryptographic law was passed, but currently the Chinese government obtains data from servers in an invasive way – it requires direct access to stored data and trade secret protection is not respected [15].

TikTok and user data collection

The company states on its website in the Privacy Policy section [16] that it automatically collects the following data:

IP address
geolocation-related data
information about your location, including location information based on the SIM card / IP address,
GPS data with user permission,
device information:
device model,
telecommunications service provider,
time zone setting,
operating system,
application and file names and types,
keystroke patterns and rhythms,
metadata,
browsing history,
search history,

The company declares that it uses the information for a number of purposes, including for example:

targeted advertising,
usage of User Content as part of marketing platform,
inference of additional information:
age,
gender,
interests,
detection of abuse, fraud and illegal activities,
other purposes for which the user will be notified within a given period.

In the first part of data sharing, the company informs that it does not sell personal information to third parties. However, it shares it with service providers and business partners. The information may be also shared with a parent, subsidiary or other affiliate of their corporate group. In the case of major problems, the company shares the information due to a substantial corporate transaction, such as the sale of a website, a merger, assets sale, or in the event of bankruptcy.

TikTok and the US Congress

The US Congress initiated 2 attempts to meet with representatives of TikTok and Apple for potential cooperation with the Chinese Communist Party (note: Apple moved the Chinese iCloud server to China directly under the administration of the Chinese provincial government [17]).

In the past, Apple succumbed to the pressure from the Chinese Communist government, e.g. censoring the Taiwanese flag in Hong Kong and banning applications to monitor activities of the police during the local protests [18]. Apple blocked hundreds of other applications in China since July 2018 at China’s request [19].

The first hearing was held in November 2019 and both organizations – Apple and TikTok refused to send their representatives. After the first hearing, TikTok officially announced that it would cooperate, but at the second hearing in March 2020, its representatives did not appear again [20].

At a November hearing, TikTok was accused of collecting private information from US citizens, even those that are not important for the operation of the application, e.g. private messages (see the chapter TikTok and user data collection). Josh Hawley, who chaired the congressional hearing, outlined the link between the facial recognition system used in China for the social rating system and China’s activity in collecting data to improve the software.

He also mentioned the possibility of misusing this software for military purposes and the information that members of ByteDance’s management were members of the Chinese Communist Party. Hawley described the refusal to participate in the congressional hearing as “disturbing” and “secretive.” [21] Apple declined to comment on congressional allegations.

TikTok publicly commented on the US Congress’ concerns about data privacy and security [22] on 24 October 2019 through its website. The CEO of TikTok declared that all TikTok user data is stored entirely outside of China, and is not subject to Chinese law (“user data is stored in the United States with backup redundancy in Singapore”).

He added that the content of TikTok is not regulated pursuant to Chinese law, they have never been asked by the Chinese government to remove any content and they would not do so if asked. He explicitly stated that the company is not influenced by any government, including the Chinese government and does not have any intention of changing it in the future. The company declares that the cybersecurity of applications is managed by a dedicated technical team.

ByteDance company had a proven cooperation with the Chinese Communist Party in the past. In December 2017, CEO Zhang Yiming apologized on behalf of ByteDance for the “political crimes” of Jinri Toutiao’s flagship application which was used to customize news feed for individual users [23].

The application allegedly shared useless information, misleading medical information, exaggerated advertising. In December, the Cyberspace Administration of China (CAC) ordered the suspension of this application for circulating “pornographic and vulgar information”, and in April 2018, the Douyin application (Chinese version of TikTok) was also affected for a “complete system upgrade,” “server maintenance” and “system updates.” It cannot be ruled out that this was not a censorship attempt [24].

Identified risks

In view of the above facts, it can be concluded that the TikTok application poses a security risk, mainly due to the fact that:

ByteDance company owning TikTok is Chinese, and therefore falls under Chinese law and has a cooperation history with the Chinese Communist Party,
in the “Privacy Policy” section, TikTok explicitly states that it shares user information with the parent company (ByteDance),
TikTok collects a large amount of data, even the one that would not be necessary for its own functionality (behavioural information obtained through using the application, contact data, location data, information from other social networks, private messages sent via TikTok, a phone book, lists of files and applications installed in the device and others),
the US Congress has expressed suspicion of the misuse of data collected from the “West” for military purposes and for the improvement of the face recognition system used by the Chinese Communist Party (for the social rating system).

It can be said with an absolute certainty that all private data collected in the TikTok application (in particular private videos of users, personal data, telephone numbers and location data) is made available for the Chinese Communist Party on request or immediately (if they already have accesses as in the case of Apple). Similar conclusions were reached by the US Congress as well, that had already organized two hearings regarding the topic (in November 2019 and March 2020), but the representatives of TikTok did not participate.

Recommendations

Based on the abovementioned information, the National Cyber Security Centre SK-CERT (hereinafter referred to as SK-CERT) generally recommends the following:

in on-line communication follow all rules of cyber-hygiene,
read carefully what permissions the application requires and answer the following questions:
is there any sensitive data on the device that I do not want the manufacturer of the application to have?
does the application need these accesses for its normal functioning?
does the application have an alternative that does not require such permissions for its functioning?
until TikTok’s privacy policy is adjusted and TikTok’s response to allegations is transparent, we recommend that you remove the application from the device / do not install it,
we do not recommend to install the TikTok application by public administration employees and generally by employees of operators of essential services in accordance with the Act on Cybersecurity,
install only applications that are being developed outside the Chinese market,
use hardware not manufactured by a company governed by Chinese law.

If you want to continue using TikTok, SK-CERT recommends the following:

use the TikTok application on another device than the one that you use for regular activities, other social networks, and for work purposes,
when creating an account on the TikTok social network, do not use an account from another social network to log in, the company will thus obtain a large amount of additional private data,
public administration employees and operators of essential services who want to use TikTok for marketing/other purposes are advised not to install TikTok on devices with access to business e-mails and job-related files,
you need to be skeptical about all the information you get on the TikTok social network and follow the general principles:
the more serious and extreme the information is, the more suspicious it becomes,
“extreme allegations require extreme evidence”,
the fact that information was shared from a trusted source does not mean that it was uploaded by a trustworthy person,
any suspicious information must be verified from several sources.
If you are interested in deleting the data collected by the company, it is possible to contact the company at e-mail address [email protected]. To protect the personal data, the company declares its deletion upon request. However, the complete deletion of data cannot be confirmed.