Cyber-Security Expert Reveals TikTok In-App Spying
Two months ago, Reddit user bangorlol made a comment in a discussion about TikTok. Cyber-Security Expert Reveals TikTok In-App Spying
Facebook got itself into a sensitive data scandal when it did shady business with Cambridge Analytica, Instagram confirmed a security issue exposing user accounts and phone numbers, but these apps are basically online security havens compared to TikTok, according to one senior software engineer with about 15 years of professional experience.
Youtube Video: TikTok In-App Spying- 41:38
Bangorlol claimed to have successfully reverse-engineered it and shared what he learned about the Chinese video-sharing social networking service. Basically, he strongly recommended that people never use the app again, warning about its intrusive user tracking and other issues. Considering that TikTok was the 4th most popular free iPhone app download in 2019, this is quite alarming.
Bangorlol is no script kiddie. “The last several years of my career has been based around reversing mobile applications, analyzing how they work, and building additional third-party functionality around them,” he told Bored Panda. “A rough example would be me noticing that Twitter doesn’t show you a sequential timeline (no idea if they do or not) on the website but does on the app. I’d go into the Android or iOS version, find the requests that get the correct data, and build a third-party tool (app, website, browser extension) to give users this functionality.”
“Lately, it mostly involves reversing my company’s partner APIs so we don’t have to wait for them to create something custom for us. I hunt bug bounties when I’ve got the time, or help my friends out with theirs (or their CTF challenges). I like security in general and typically find at least a few major flaws whenever I change employers. I’m kind of a ‘jack of all trades’ kind of guy in the sense that I’m comfortable in most areas of software engineering and mostly pretty okay with many security topics.”
Reportedly, it took 200 days for the Chinese development team to create the original version of TikTok, but when Bangorlol got his cursor on its code, it had no chance. Although, it did try to put up a fight. “TikTok put a lot of effort into preventing people like me from figuring out how their app works. There’s a ton of obfuscation involved at all levels of the application, from your standard Android variable renaming grossness to them (bytedance) forking and customizing ollvm for their native stuff. They hide functions, prevent debuggers from attaching, and employ quite a few sneaky tricks to make things difficult. Honestly, it’s more complicated and annoying than most games I’ve targeted,” Bangorlol explained.
Bangorlol thinks that we as a society have normalized giving away our personal information and have no expectations of privacy and security anymore, so giving TikTok our data together with our money is nothing surprising. “The general consensus among most ‘normal’ people is that they can’t/won’t be targeted, so it’s fine. Or that they have nothing to hide, so ‘why should I even care?’ I think the apathy is sourced from people just not understanding the security implications (at all levels) of handing over our data to a foreign government that doesn’t discriminate against who they target, and also doesn’t really have the best track record when it comes to human rights,” he said.
Keep in mind that Bangorlol released his initial commentary a while ago and hasn’t touched the app in months, and when he posted his findings, they were also a few months behind. “The app could’ve changed fingerprinting techniques or added/removed some of the nasty things they do. I strongly encourage security researchers who are much smarter than me and have more free time to take a look at the app and scrutinize every little detail they can. There’s a lot of stuff going on in the native libraries for at least the Android version that I wasn’t able to figure out and didn’t have the time to investigate further,” he added.
“TikTok might not meet the exact criteria to be called “Malware”, but it’s definitely nefarious and (in my humble opinion) outright evil,” Bangorlol said. “There’s a reason governments are banning it. Don’t use the app. Don’t let your children use it. Tell your friends to stop using it. It offers you nothing but a quick source of entertainment that you can get elsewhere without handing your data over to the Chinese government. You are directly putting yourself and those on your network (work and home) at risk.”
TikTok May Be Snooping On Bitcoin Addresses, Other Clipboard Data
Last week’s release of Apple’s iOS 14 developer beta for iPhone has made it more obvious than ever that many popular iOS apps are reading your clipboard data even when they have no clear reason to—and they can do so from other nearby Apple devices, too.
The alarm was first sounded back in March when researchers Tommy Mysk and Talal Haj Bakry reported that social video sensation TikTok and dozens of other apps were regularly recalling data from the iOS and iPadOS clipboard, even when you’re not in a text input box. And as Ars Technica pointed out in a recent report, that data could potentially include Bitcoin addresses or other sensitive financial information.
The iOS 14 beta release includes an alert that now tells users when another app is copying data from the clipboard. As a viral video shared to Twitter last week shows, TikTok in particular is requesting data every couple of keystrokes, yet it was not initiated by the user nor is it being pasted into the field.
Apple’s various modern devices, including iPhones, iPads, and Mac computers, also share a Universal Clipboard feature. When the devices that share an Apple ID are in close proximity (about 10 feet), they can read the clipboard data from the others, in case you want to paste something from one device to another.
All considered together, it’s a potentially unnerving situation for anyone handling sensitive data on an Apple device, whether it’s passwords, Bitcoin addresses, or other private and valuable information. Even if most of the major identified apps likely aren’t using the function maliciously, the existence of the feature raises doubts about the security of data within iOS.
Mysk and Haj Bakry identified more than 50 major apps this spring that utilized the functionality, ranging from the aforementioned TikTok—which has an estimated 800 million users—to news apps such as The New York Times, CBS News, and Fox News, games including Bejeweled and PUBG Mobile, and other apps including AccuWeather and Hotels.com.
he Telegraph reported in March that TikTok planned to address the issue, but did not. A TikTok representative told Ars Technica last week that the functionality was implemented as an anti-spam measure, and that an updated version of the app without the clipboard callback has already been submitted to the App Store for approval.
Mysk told Ars Technica that only two other apps out of the 50+ major apps identified in March—Hotel Tonight and 10% Happier—changed the functionality thereafter. However, now that the iOS 14 beta has implemented the warning, developers may be more motivated to avoid alarming potentially millions of users once iOS 14 rolls out publicly this fall.
TikTok, Once An Oasis of Inoffensive Fun, Ventures Warily Into Politics
App starts allowing U.S. protest videos and quits Hong Kong, while facing flak in Washington over its Chinese control.
TikTok has been one of the world’s biggest distractions during the pandemic, thanks to its endless stream of bite-size videos featuring dance-offs, pranks and other goofs.
Lately there has been a dash of something new at TikTok: politics.
Experimenting with letting users post short political videos, the app is emerging as a platform for protesters and mischief-makers alike in a moment of social unrest around the world. The shift is posing complicated new challenges for an extraordinarily popular app devoted, until recently, to mindless fun.
Political content was long anathema at TikTok, a Chinese-controlled company known for avoiding any video that might make someone uncomfortable. That included blocking or flagging snippets featuring disabled people, too much cleavage and, in one case, “Make America Great Again” caps. When protests over the killing of George Floyd first rocked the U.S. in late May, some TikTok users said the hashtag “Black Lives Matter” was being censored on the app.
TikTok then apologized and attributed the problem to a glitch. It has featured videos of the protests in recent weeks, including scenes of police firing tear-gas canisters, the looting of a barbershop and protesters carrying a man with a gunshot wound—content that former moderators say would surely have been blocked in the past.
Meanwhile, some users are experimenting with ways to organize politically on the app. When President Trump’s June rally in Tulsa, Okla., drew a far smaller crowd than anticipated, TikTok users said they had reserved masses of tickets and then stayed away, upending expectations and giving the campaign a black eye. The Trump campaign disagreed, blaming the limited turnout on fear of violent protests and what it called biased media coverage.
This week, Chinese politics embroiled TikTok as the parent company of the app said it would pull the app out of Hong Kong, where a new national-security law imposed by mainland China will empower police to make internet companies hand over user data. TikTok will exit from Google and Apple app stores in Hong Kong and cease operations for users there.
TikTok also faces growing flak in Washington, rooted in concerns that the app’s Beijing-based parent company could share information with the Chinese government. The State and Defense departments prohibit employees from downloading TikTok on government devices. Some members of Congress are seeking to widen that ban, and Secretary of State Mike Pompeo this week hinted the Trump administration was considering limiting U.S. users’ access to the app.
A spokesman for TikTok said that the Chinese government has never requested access to any of its user data and that TikTok wouldn’t share any if asked. Though controlled by a Chinese company, TikTok is registered in the Cayman Islands and its CEO is based in Los Angeles.
All this comes at a time of roiling debate over how much control social-media companies ought to wield over content. The boom TikTok has enjoyed shows the rewards of its policy of tight control of content. Its 315 million downloads in the first quarter were the most ever for an app in one quarter, according to research firm Sensor Tower.
Yet as TikTok grows in the West, the app built under a Chinese legal system that involves concessions to censorship faces the risk of alienating users accustomed to free expression. TikTok has eased up somewhat lately not only on political but also on its cultural strictures.
With a new American chief executive, hired from Walt Disney Co. , TikTok is trying to find the right balance between letting users freely address sensitive topics and retaining the upbeat vibe that made it a staple of smartphones. How CEO Kevin Mayer handles the tricky task will bear on the fortunes of a parent company, ByteDance Ltd., that is planning an initial public offering.
Mr. Mayer arrived from an entertainment powerhouse well-versed in dealing with authorities in China. Disney has cleared numerous movies with Chinese censors, who are known for scrutinizing every frame of a film. Under Mr. Mayer’s watch, the streaming service Disney+ avoided shows and movies that skew too mature for the Disney brand.
“I do have a lot of comfort with wholesome or family-friendly companies,” Mr. Mayer said in an interview. Disney and TikTok “do very different things,” he said, “but the family friendliness and the wholesomeness of it I really like. That’s a comfort zone for me for sure.”
ByteDance, which already owned the popular Chinese app Douyin, developed TikTok in 2017 out of a fast-growing Chinese app called Musical.ly, which ByteDance acquired. TikTok is similar to Douyin, which operates only in China.
Disney also considered buying Musical.ly, according to former colleagues of Mr. Mayer, who said he was among the Disney executives who discussed an acquisition before deciding to pass. Disney ultimately concluded the app’s Chinese ownership combined with its appeal among young children made it too risky to pursue, these people said. A Disney spokeswoman declined to comment.
From its start, TikTok has used artificial intelligence to detect violations of its rules concerning permissible content. It also hired human moderators to determine which videos broke the rules.
After pro-democracy protests erupted in Hong Kong last year, TikTok asked moderators to remove videos about the protests until mid-2019, according to a person familiar with the matter. Former moderators said they were also asked to take down videos referring to the 1989 Tiananmen Square protest that the Chinese government crushed.
“We do not, and have not, remove videos based on the presence of Hong Kong protest content,” the spokeswoman for TikTok said in a written statement.
When prosecutors in the U.S. last year charged actor Jussie Smollett with filing a false report of being attacked by men yelling “This is MAGA country,” former TikTok moderators said, they were told to watch for hats and shirts with the slogan “Make America Great Again” and take down any video that appeared controversial.
The spokeswoman for TikTok said taking down MAGA content in response to the Jussie Smollett incident was never a policy at the app. Mr. Smollett denied filing a false police report.
Early this year, videos of women working out in sports bras and leggings flashed on the screens of TikTok employees in Los Angeles. The employees knew videos of some of the heavier women violated a TikTok rule against showing more than two inches of cleavage, but let the videos remain in a silent rebellion against rules they believed punished large women and didn’t fit with American culture, according to one employee.
The U.S. content-moderation team was already battling with Beijing executives over how much cleavage should be permitted, members said. The team eventually started having a weekly conference call with the executives to air frustrations with rules that also included no hip thrusting, shaking of the upper torso, tattoos, drugs or cigarettes.
The spokeswoman for TikTok said it constantly evaluates and adjusts its policies if they unfairly disadvantage certain users.
Katie Seccombe said she was banned from TikTok in early May after posting a question-and-answer livestream during which she kissed her girlfriend on the cheek.
“It was just really confusing,” said Ms. Seccombe, a 20-year-old film-production major at Florida Atlantic University. “I would watch other people in bikinis and that was fine, but me doing something cute with my girlfriend would always get taken down.”
In mid-June, her TikTok account started working again. A notification said it had been blocked for “serious pornography.” She said she wasn’t told why it was reinstated.
A TikTok spokesman said videos from gay creators are among the most popular types on the app and are subject to the same policies as others.
Last month, TikTok launched a campaign to celebrate gay pride events. It said it would promote content from LGBT users, along with the hashtag #MyPride.
TikTok said its decisions have always been rooted in a wish to keep the tone light, not in censorship. There now is no limitation to political speech, the spokeswoman said, provided it doesn’t violate other rules, such as a ban on hate speech. She also said TikTok’s U.S. policies are run by executives there, and U.S. content isn’t moderated in China.
“In its early days, TikTok took very blunt strategies, all in the sake of trying to keep the platform as positive as possible. That was unequivocally the wrong approach,” said Eric Han, the app’s head of safety in the U.S.
The TikTok spokeswoman added that “as our local safety teams have grown in size and sophistication, we’ve been able to take a more thoughtful approach to developing and enforcing our Community Guidelines, incorporating things like important contextual nuances and feedback from outside experts.”
Mr. Han said TikTok is customizing its rules to fit cultural norms of the places it operates. It has hubs in California, Ireland and Singapore, formed last year to fine-tune the rules for differing regions.
The move followed an incident in July 2018 when Indonesia blocked TikTok after a group of local mothers complained about videos they saw as pornographic, according to Rudiantara, Indonesia’s former information communications and technology minister. The videos showed young people dancing provocatively, a TikTok employee said. Mr. Rudiantara said TikTok executives flew to Jakarta and promised to form a team to filter out videos that could offend in Indonesia.
Indonesia let TikTok back online, but the incident impressed executives with the importance of respecting individual countries’ norms, said former staff members.
As TikTok has slowly rolled back certain restrictions, former moderators said they have been able to allow some curse words and, depending on the country, shirtless men, tattoos and alcohol.
They said that although tattoos remained taboo in China, moderators in the U.S. could allow small ones, such as little butterflies. In November, Dwayne Johnson, the actor and former wrestler known as The Rock, posted his first video to the app. In January, Tommy Lee, the drummer for the band Motley Crue, joined TikTok. Both have large tattoos.
The incremental moves to loosen restrictions could expose TikTok to risks in China, where the government has historically cracked down on businesses that got outside accepted Chinese cultural norms.
The spokeswoman for TikTok said it doesn’t believe it faces such risks. “The TikTok app isn’t even available in China. Our content and moderation policies are led by our U.S.-based team and are not influenced by any foreign government,” she said.
In response to the concerns of some in Washington that TikTok’s Chinese ownership makes it a national-security risk, officials of TikTok have said that servers in the U.S. and Singapore hold its user data, and they won’t share the data.
That hasn’t satisfied Rep. Abigail Spanberger (D., Va.), a former Central Intelligence Agency officer, who said TikTok would be legally obligated to share with the Chinese government if asked.
The House in March passed a bill Ms. Spanberger sponsored that would ban the TikTok app on TSA employees’ phones. Earlier, U.S. regulators launched a national-security review of the app after some senators raised concerns TikTok was censoring content to please the Chinese government, which TikTok denied.
Sen. Josh Hawley (R., Mo.), who in an interview labeled TikTok “a surveillance machine on every phone that downloads it,” has introduced a bill to ban the app on all government devices and called for testimony from TikTok’s new American CEO, Mr. Mayer.
At TikTok, Mr. Mayer sometimes faces risks beyond the company’s control. In late June, India banned TikTok and dozens of other Chinese apps following a deadly border clash with Chinese forces in the Himalayas. New Delhi cited cybersecurity concerns for the ban.
Mr. Mayer told Indian officials that Chinese authorities had never requested the data of TikTok’s Indian users and the app wouldn’t comply if they did.
Amazon Tells Employees To Delete TikTok From Mobile Devices On Security Concerns
TikTok says it is ‘fully committed to respecting the privacy of our users’.
Amazon.com Inc. is requiring its hundreds of thousands of employees to remove the TikTok app from mobile devices that can access the company’s email system due to unspecified security risks, the latest high-profile instance in which the app has faced backlash in the U.S.
Amazon said in a staff memo Friday that employees must delete TikTok by Friday to be able to continue accessing their email from their phones. The e-commerce giant said that at this time employees can still use TikTok from an Amazon laptop browser.
Amazon didn’t immediately respond to requests for comment.
A spokeswoman for TikTok, which is owned by Beijing-based Bytedance Ltd., said “user security is of the utmost importance.” The spokeswoman also said that Amazon didn’t contact TikTok about the matter and that it doesn’t understand Amazon’s decision.
“We welcome a dialogue so we can address any issues they may have and enable their team to continue participating in our community,” she said. “We’re proud that tens of millions of Americans turn to TikTok for entertainment, inspiration, and connection, including many of the Amazon employees and contractors who have been on the front lines of this pandemic.”
Amazon’s move follows a string of recent setbacks for TikTok. Earlier this week Bytedance said it would pull the app out of Hong Kong amid concerns about a new national-security law, its second market exit after India last week banned TikTok and other apps from Chinese companies as part of an escalating border dispute between Beijing and New Delhi.
Meanwhile, Secretary of State Mike Pompeo has hinted the Trump administration was considering limiting U.S. users’ access to TikTok. In Washington, some lawmakers have called for an outright ban, saying data in the smartphone app would be available to Beijing, a claim that TikTok has denied.
The Information earlier reported the Amazon memo.
TikTok User Data: What Does the App Collect and Why Are U.S. Authorities Concerned?
Officials worry about China potentially amassing vast amounts of personal information on Americans.
U.S. Secretary of State Mike Pompeo has indicated the Trump administration is considering limiting U.S. users’ access to the popular video-messaging app TikTok. The Chinese-owned company has faced scrutiny in Washington as concerns grow that Beijing could tap the social-media platform’s information to gather data on Americans.
TikTok, which has said it wouldn’t hand U.S. user data to Chinese authorities, has exited two international markets in recent weeks, as the first global social-media sensation to emerge from China seeks to navigate a variety of geopolitical tensions.
Here is a look at TikTok’s user data practices and the concerns that U.S. officials are raising.
What Kind Of User Data Does TikTok Collect?
If you opt in, TikTok says it can collect your phone and social-network contacts, your GPS position and your personal information such as age and phone number along with any user-generated content you post, such as photos and videos. It can store payment information, too. TikTok also gets a sense of what makes you tick. It can track the videos you like, share, watch all the way through and re-watch.
Is Any Of This Unusual?
Other social-media platforms such as Facebook and Twitter also collect large amounts of information about users. But TikTok is facing scrutiny because Chinese apps in particular have a reputation for grabbing more data than required to provide their services, often sending information to advertising networks, said Jon Callas, a senior technology fellow with the American Civil Liberties Union. “Chinese apps are frequently far more abusive than others—and we hate the others,” he said.
A TikTok spokesman said the app collects less personal data than some U.S. tech companies like Facebook or Google, whose products track activity across devices.
How Secure Is TikTok?
Like some other popular apps, TikTok has had security problems. In December, researchers at the security firm Check Point discovered a number of bugs in TikTok that could allow hackers to upload or delete videos from user accounts and gain access to personal information such as email addresses. Those bugs have now been fixed, TikTok says.
In March, researchers reported that TikTok was one of dozens of iPhone apps that were accessing data copied into smartphone clipboards without users’ consent, a practice that could give the app access to sensitive information—copied phone numbers or passwords, for example. Last month, TikTok said the data access was part of an anti-spam feature and that no such information left users’ devices, adding that it had removed that tool.
Why Is The U.S. Concerned?
Washington has become increasingly worried about what it views as the possibility of Beijing performing mass data collection on American citizens, following what U.S. authorities say has been a prolonged period of cyberattacks and other efforts to obtain such information.
“If you are an American adult, it is more likely than not that China has stolen your personal data,” Federal Bureau of Investigation Director Christopher Wray said Tuesday at the Hudson Institute, a conservative think tank in Washington, D.C.
U.S. officials are concerned that the Chinese government is potentially building a vast database of information that could be used for espionage—identifying U.S. government employees who might be susceptible to blackmail, for example—says Susan Ariel Aaronson, a professor at George Washington University who has written about the national-security implications of data collection.
There is concern in the U.S., she says, that if TikTok’s user data could be obtained by the Chinese government, that would enhance any such efforts. “You can use [artificial intelligence tools] to sort through it and find an awful lot of data about what you like and don’t like,” she said.
A TikTok spokesman said that the Chinese government has never asked the company for user data and that it would refuse such a request. “TikTok has an American CEO and is owned by a private company that is backed by some of the best-known U.S. investors,” he added.
Are U.S. Concerns About TikTok New?
No. The app is currently under a national-security review by the federal government through the Committee on Foreign Investment in the U.S. after lawmakers raised concerns that TikTok was censoring content to comply with Chinese government requests. TikTok has denied these allegations.
The Federal Trade Commission early last year fined TikTok nearly $6 million to settle allegations over data collection practices of children by its predecessor Musical.ly, which TikTok acquired in 2017. The FTC said the system collected information on minors without their parents’ consent and let accounts be public by default—potentially allowing adults to contact children through the app and see users’ location information. TikTok said it made changes to its app for younger users.
The U.S. already has banned TikTok within the U.S. military and the House passed a bill in March that would ban Transportation Security Administration officials from using TikTok.
Is TikTok The Only App That Has Provoked Such U.S. Concerns?
No. U.S. national-security officials last year ordered a Chinese company to sell gay-dating app Grindr, citing the risk that the personal data it collects could be exploited by Beijing to blackmail people with security clearances.
Why Does TikTok Need The Information It Gathers?
TikTok says it collects the data to improve the app’s user experience, including by customizing content and providing location-based services. The data is also collected to inform its algorithms. TikTok says the platform will store your information for as long as it is necessary to provide the services to you.
Does TikTok Share Any Information With Bytedance, Its China-Based Parent?
Yes. TikTok stores its data on American users on servers in the U.S. and Singapore, but its website says that information can be shared with Bytedance or other affiliates. In an April blog post, TikTok’s chief information security officer, Roland Cloutier, said the company was working on “limiting the number of employees who have access to user data and the scenarios where data access is enabled.”
What Happens To Your Data If You Quit TikTok?
After a user quits the app, the information is stored in what the company says is an aggregated and anonymized format. Users can ask TikTok to delete their data, and the company has said in its policy that it will respond in a manner consistent with applicable law upon verifying your identity.
Amazon Says Email Ordering Employees To Delete TikTok Was Sent In Error
Company retracts directive to remove popular app currently under fire over security concerns.
Amazon.com Inc. on Friday afternoon reversed a demand that employees delete the TikTok app from company mobile devices, a shocking turnabout from a dictate that just hours before had stoked concern about the app’s security and ties to China.
The first message was dramatic enough, as the email directive to employees appeared to buttress recent scrutiny of TikTok security issues from governments in the U.S. and India.
Then, the second message, in which a spokesman called the email an error, backed away from what briefly appeared to be a major policy change. It was a rare instance in which such a shift played out in public for one of the world’s most valuable and closely watched companies.
What remained unclear late Friday was how many people within Amazon, if anyone, harbor concern about TikTok to such a degree that would have prompted the memo in the first place.
The now-retracted email was sent as an alert to thousands of Amazon employees early in the business day in Seattle: “Due to security risks, the TikTok app is no longer permitted on mobile devices that access Amazon email. If you have TikTok on your device, you must remove it by 10-Jul to retain mobile access to Amazon email. At this time, using TikTok from your Amazon laptop browser is allowed.”
News of the decision broke and quickly went viral after it was reported by The Information tech news site, and within hours two U.S. senators responded enthusiastically.
“Now the whole federal government should follow suit,” Sen. Josh Hawley (R., Mo.) said in a tweet.
Amazon had reversed itself by midafternoon on the West Coast. “This morning’s email to some of our employees was sent in error,” the Amazon spokesman said late Friday. “There is no change to our policies right now with regard to TikTok.”
The Amazon spokesman declined to comment further.
Earlier this week, U.S. bank Wells Fargo & Co. also asked employees to delete TikTok from their company devices.
“We have identified a small number of Wells Fargo employees with corporate-owned devices who had installed the TikTok application on their device,” a Wells Fargo spokesman said in a statement. “Due to concerns about TikTok’s privacy and security controls and practices, and because corporate-owned devices should be used for company business only, we have directed those employees to remove the app from their devices.”
A spokeswoman for TikTok said the company hasn’t been contacted by Wells Fargo but the company is open to discussing its data security measures with the bank. “Our hope is that whatever concerns Wells Fargo may have can be answered through transparent dialogue so that their employees can continue to participate in and benefit from our community,” she said. The Wells Fargo employee request was earlier reported by the Information.
The Amazon memo initially appeared to be the latest high-profile setback for the short-form video app. Earlier this week its owner, Beijing-based ByteDance Ltd., said it would pull TikTok out of Hong Kong in the midst of concern about a new national-security law. That was its second market exit after India banned the app and others from Chinese companies, citing cybersecurity concern, as part of an escalating border conflict between Beijing and New Delhi.
ByteDance in May hired a top Walt Disney Co. executive, Kevin Mayer, to be TikTok’s new chief executive officer and navigate its global expansion.
Meanwhile, President Trump has said his administration is considering limiting U.S. users’ access to TikTok. In Washington, some lawmakers have called for an outright ban, saying data in the smartphone app would be available to Beijing, a claim TikTok has denied.
TikTok’s security has come under scrutiny in recent months. In March, security researchers found that TikTok was one of several dozen iPhone apps that were silently accessing data copied into the phone’s clipboard without authorization. The clipboard is software that stores data in the phone’s memory whenever someone copies and pastes information using the iPhone.
The security issue could give TikTok a way of accessing any sensitive information that might have been copied, such as passwords or email messages or banking information, said Tommy Mysk, one of the researchers who discovered the clipboard issue.
After his research into TikTok’s clipboard was published in March, Mr. Mysk and a colleague took another look at TikTok and discovered that it was sending videos without using a standard internet encryption protocol—a design decision that could give hackers a way of spoofing TikTok videos from legitimate users. TikTok has since fixed this issue, Mr. Mysk said, but according to him, it was another sign that the product’s security was substandard.
Last month, TikTok said that the data access was part of an anti-spam feature and that no such information left users’ devices, adding that it had removed that tool.
A TikTok spokeswoman on Friday said that it is currently reviewing a number of claims made in recent weeks about its security practices and that it has already determined that many are inaccurate or outdated.
TikTok is known for its often lighthearted user-made videos featuring pranks, dancing and cats. For much of its history, the company aggressively curated its content to avoid topics that were controversial, though in recent months it has become more permissive and begun featuring more political videos.
In the U.S., the app was second in downloads to Zoom Video Communications Inc.’s ZM 2.36% namesake video-chat app in the first half of 2020, according to market-research firm Sensor Tower, which said TikTok has racked up 184.7 million U.S. downloads to date across the App Store and Google Play. The U.S. was TikTok’s third-largest market in new users in the first half of the year, after India and Brazil.
A new survey of 2,200 U.S. adults found that Americans were divided over whether TikTok should be barred from operating in the U.S., with 29% saying yes, 33% saying no and 38% unsure. Among the youngest respondents, considered the most common users of the app, 25% said they would be more likely to use TikTok if they learned that the U.S. was looking to ban the app. Just 9% said they would be less likely to use it, according to the survey’s creator, the data-intelligence company Morning Consult.
Users made their concerns about a potential shutdown of TikTok known on the app, where the hashtag #savetiktok was viewed more than 170 million times as of early Friday afternoon.
TikTok is currently under a national-security review by Washington through the Committee on Foreign Investment in the U.S. after lawmakers raised concerns that the app was censoring content to comply with Chinese government requests. TikTok has denied these allegations.
The U.S. military has banned its members from using TikTok, signaling concern about possible security risks related to the app.
India late last month banned TikTok as part of a wider move requiring internet service providers to block access to 59 Chinese apps. New Delhi imposed the ban after a border clash between troops from the two countries left 20 Indian soldiers dead last month, citing cybersecurity concerns.
TikTok is among scores of mobile apps to share or make available private information about their users with third parties, said Kirsten Martin, professor of technology ethics at the University of Notre Dame’s Mendoza College of Business. “If we’re going to ban TikTok, why not ban all other apps on our phones?” she said. “China’s involvement is what makes it so adversarial.”