TikTok banned on Government Electronic Devices

On 16 March 2023, the U.K. Cabinet Office announced that the social media app TikTok is banned on government electronic devices. The reason?

A security review ordered by the Cabinet Office Ministers aimed to look “at the potential vulnerability of government data from social media apps on devices and risks around how sensitive information could be accessed and used by some platforms.”

Euronews reported on 17 March 2023 that in addition to the U.K., “New Zealand, The European Parliament, European Commission, and the E.U. Council,…, Belgium, Canada, Denmark, India, Taiwan, and the United States” have banned TikTok from government devices. Euronews reports that Afghanistan and Pakistan have also banned the app.

Their concerns are warranted.

On 4 July 2022, internet2.0 presented the “Technical Analysis of TikTok App.” Their media release provided a link to Penetrum, who conducted a Security Analysis on TikTok. Security Analysis is a process of identifying vulnerabilities in software, how potential attackers can use those vulnerabilities to their advantage, and recommending security mitigating measures to mitigate those vulnerabilities.

In their report, Penetrum found that “after extensive research, we have found that not only is TikTok a massive security flaw waiting to happen, but the ties that they have to Chinese parties and Chinese ISP’s make it a very vulnerable source of data.”

According to the report, TikTok collects the following user data: “

  • IMEI number of a phone,
  • Screen Resolution,
  • SIM card provider
  • Tracks the smartphone’s location
  • Collects GPS coordinates
  • Collects WiFi location and SSID-changes
  • Collects Mobile Cell Data
  • O.S. version
  • Full lists of mobile contacts
  • SMS logs
  • IMSI numbers
  • Smartphone model
  • Smartphone version
  • Stored app data from previous installations, and
  • Memory data”

According to the report, this amount of data “creates an extremely realistic and graphic fingerprint of your phone which can be used to determine everything you have installed.” Furthermore, “the IMSI which is used to follow users while getting a new phone, basically while transferring your SIM data to a new phone, the IMSI number stays with you.” This enables the application owner to “create a profile on you.” The report states that “TikTok does an excessive amount of tracking on it’s users, and that the data collected is partially if not fully stored on Chinese servers”

In addition to the information collected by the application, the report presents several “Security Concerns of Downloading TikTok.” In more detail, the following:

  • Execution of O.S. commands
  • Insecure cryptography usage
  • Potential SQL injection code from user defined variables
  • Storing of API tokens
  • Webview enabled by default along with insecure webview enabled”

What does all of the above mean?

It means that TikTok has vulnerabilities that, if known by someone “who figures out how to enable and leverage this capability of this app, can use it or execute man in the middle attacks.” Why? Because the vulnerabilities mentioned in the report can potentially load files on the smartphone, “which in theory can lead to malware being loaded from inside the application, chained with remote debugging to see what fails in your malware. It also allows a very big window for attackers to not only upload, but execute, and debug their malware as well(in almost real time).” To Penetrum “this seems like an extreme security risk that shouldn’t be taken lightly.”

If the conclusions of the Security Analysis report are accurate, then the concerns that Governments have had about security risks to government information are warranted. However, if the findings are accurate, government staff are profiled and constantly tracked. This could mean a potential adversary could plan, prepare, and execute intelligence operations to recruit government staff as spies.

Based on Penetrum’s Security Analysis report, if accurate, TikTok could be considered an intelligence collection tool to collect government information and profile, government staff. A threat actor could use this intelligence to always stay one step ahead of, for example, the U.K. government in political, military, economic, social, infrastructure, and information affairs. This could pose a national security risk.

One case that reminds of this approach is what American Military News states: “In 2012, China hacked a major U.S. Office of Personnel Management (OPM) database which allowed them to expose numerous CIA spies operating in Africa and Europe.

Foreign Policy states, “During the OPM breach, Chinese hackers stole detailed, often highly sensitive personnel data from 21.5 million current and former U.S. officials, their spouses, and job applicants, including health, residency, employment, fingerprint, and financial data.”

The difference between the OPM hack and TikTok is that current and future government staff freely provide this kind of information, especially since TikTok collects all of the information, as noted above. At the same time, those aware of TikTok’s capabilities can conduct eavesdropping attacks and not need to “hack” into government databases (although if vulnerabilities exist, that is also likely to happen).

Therefore, the U.K. Cabinet Office announcing a “precautionary ban on TikTok on government” electronic devices does not protect only sensitive information but also government staff: current and future.