According to an exclusive report from TheWrap, the Chinese-based app TikTok is side-stepping Apple and Google privacy protections to provide the company’s Beijing-based parent company, ByteDance, full access to user data.

The studies, conducted by ‘white hat’ cybersecurity experts that hack for the public good, were completed in November 2020 and January 2021,” TheWrap reported, noting that the outlet had “verified the studies and confirmed their conclusions with five independent experts.”

The summaries of the studies, shared exclusively with TheWrap, suggest that TikTok is able to avoid code audits on the Apple and Google app stores,” the report continued. “More alarmingly, the research found that TikTok is capable of changing the app’s behavior as it pleases without users’ knowledge and utilizes device tracking that essentially gives the company and third parties an all-access pass to user data.”

“This is highly unusual and exceeds the abilities of U.S.-based apps such as Facebook, Twitter and other social media platforms,” TheWrap added.

“These dynamic properties allow TikTok carte blanche access to your device within the scope of what the application can see,” said Frank Lockerman, cyber threat engineer at cybersecurity firm Conquest Cyber who reviewed the two “white hat” studies. “The TikTok browser not only has access to convert from web to device, but it also has the ability to query things on the device itself.”

“It seems to me that ByteDance has gone to monumental lengths — possibly more than Facebook, Twitter and other social networks — to conceal the inner workings of their app,” said one mobile development expert. 

“The security and privacy of our global community is always a top priority,” TikTok said in a statement provided to TheWrap. “Staying ahead of next-generation cyberthreats requires continuously strengthening the security of our platform, which is why we continually work to validate our security standards and collaborate with industry-leading experts to test our defenses.”

A spokesperson for the company also told TheWrap that TikTok “adheres to app store policies,” and that “its product meets information security standards in the U.S., the U.K., Ireland, India and Singapore and recently received certification by the ioXt Alliance for meeting standards and commitments to cybersecurity and transparency.”

These two studies examined TikTok’s source code in 2020 and 2021, and looked into how the app collects data related to “contacts, device ID and clipboard actions and conceals data being sent to and from TikTok’s servers.” 

The studies uncovered a concerning lack of anonymized data. For example, TikTok reportedly uses device IDs for ad integration, “which means advertisers can end up tracking people over time across devices and installs.”

“Once one advertiser has a device ID that’s correlated, all privacy is gone,” one report said.

“As with any social media, if you are not paying, then you are likely the product,” Jeff Engle, president of Conquest Cyber, told TheWrap. “The data you give, which almost always is more than users realize, can be hijacked, but that is an individual risk analysis on a user-by-user basis. The collection, control of distribution and manipulation of any social media makes it a powerful weapon.”

Earlier this month, it was also reported that TikTok “sends data to more third parties than any of its competitors.”

“In a new study, URL Genius leverages Apple’s new privacy features to track where various applications send user data,” The Daily Wire reported earlier this month. “They determined that TikTok, on average, makes contact with 13 third-party domains — far higher than Twitter, LinkedIn, Instagram, Facebook, or Snapchat. Although both YouTube and TikTok use an average of 14 trackers overall, 10 of YouTube’s trackers are first-party contacts — meaning that it primarily deals with user data for its own purposes, such as determining relevant advertisements.”

No comments:

Post a Comment