Why TikTok security should be a concern to business in 2023

Why TikTok security should be a concern to business in 2023

The US government says the TikTok security risk may result in a bans unless Chinese owners sell their financial stake in the app.

CNN reports that the new directive comes from the US Government Committee on Foreign Investment in the United States (CFIUS) after years of negotiations between TikTok and the government body. The fear is that TikTok’s parent company, ByteDance, has accessed US user data which may be passed to China’s communist party government. TikTok CEO Shou Chew has denied they collect and pass data to the Chinese government.

There is a precedent for the US government’s TikTok action. In 2019, CFIUS forced a sale of LGBTQ dating app Grindr from Chinese ownership.

India introduced a TikTok ban in 2020 after a military clash with China,  dumping more than more than 200 million users on the app overnight. The United States, Canada and United Kingdom have also introduced a TikTok ban on government devices, which raises many questions:

• What is the security concern with TikTok?
• Other Social Media app harvest data, what’s the difference?
• Phones are meant to be secure, surely TikTok can only access TikTok data?
• Is personal and app data on my phone at risk?
• I don’t use TikTok, I’m not affected right?
• What can I do to increase security?

What are the national security concerns over TikTok?

Like other social media apps, TikTok harvests user data, which TikTok say they do “in line with industry practices”. The FBI maintain that that information harvested by TikTok could be used by the Chinese government to spy on users.

TikTok CEO Shou Chew also that all data is stored in the Oracle Cloud and access to that data is controlled by US staff. While this may be true, the TikTok application also has access to this data, and evidence from 80 recordings released by BuzzFeed in 2021 detailed 14 statements from nine employees showing TikTok do have access: “Everything is seen in China,” said a member of TikTok’s Trust and Safety department, and during another meeting, a different employee mentioned a Beijing-based engineer whom he described as a “Master Admin” who “has access to everything.”

Chew also says the Chinese government has not asked for any information and that TikTo wouldn’t provide it if asked, but they wouldn’t have a choice. Article 7 of the Chinese National Intelligence Law states that “any organization or citizen shall support, assist and cooperate with the state intelligence work in accordance with the law.”

But does it matter? Many people wonder what the issue is when their TicTok, Facebook and Twitter data is all publicly visible anyway. The answer is that it is not the visible data that is at issue, it is all the other data: how you use the phone, sites you visit, and data stored in other apps that is at risk, and when this includes banking data, credit cards, personal and employer company data, and if this data is harvested, this is an issue.

How extensive is the harvesting of data from phones?

All Social media apps can collect a vast amount of information. Facebook, Twitter, YouTube, Google etc. all harvest data, which can be accessed by the US government through legal request. What is of concern is what data can be harvested. Most people assume data access is limited to the data related to the app you use, but it isn’t. Apps can potentially access data other apps download and store. This means that every app you download on your phone is a potential security risk as they can collect data you don’t expect them to be able to access.

Every mobile app is a potential security risk

Apps from well known providers are regulated and are subject to national laws, but as TikTok is Chinese, it is not covered by the same laws as others. Not only could TikTok pass user data on, they could perform data collection from TikTok data as well as user data from other apps! The reality is that any app could have malicious code within it, and if TikTok teaches us anything, it is that we all – people and businesses – need to be more diligent.

Hackers utilize a ploy where they write and hide malicious code and within a desirable free app. People download the useful app, and they harvest user data from the phone. A good example of this was a free Flashlight App. Hidden within it was code that would activate and steal their bank account login name and password when they used their banking app including Wells Fargo, Chase and CitiBank.

Apps from well known, reputable companies can also be a security risk, albeit unintentionally. Research by industry experts Arxan found that it took only 8.5 minutes to hack into 30 financial sector apps. They discovered 180 vulnerabilities. That is a lot of exposure for data. Another recent report found “insecure data storage is the most common issue, found in 76% of mobile apps”. Apps with hidden code, malware, vulnerabilities, or plain old loss or theft of phones puts all data on phones at risk. For businesses, this is made worse when employees use their own mobile devices for work as this potentially puts corporate data at risk.

Don’t Apple and Google App Stores protect us?

Most of us assume that if an App it is in the Apple or Google App Store, it is safe, but this isn’t so. Apple and Google cannot check every line of code in every app, that is not realistic. They do check Apps, but they cannot guarantee that every app in their store is safe. Just recently Google banned 38 apps that were used by tens of millions of users as they were found to be harvesting data from users phones.

So what is the answer to secure mobile phone use?

Businesses that are serious about security do not allow personal phones onto their company network. Instead they provide their employees with work phones. By doing this they can block people from installing apps and only allow them to use Apps that they test and certify for their business. This is an expensive solution, it does work, but is there a better way? There is, but to best answer this we need to look at why phones are not secure.

Are Mobile Phones Secure?

You may remember that Apple was asked by the federal bureau of investigation (FBI) to crack the password of the phones of the San Bernadino terrorists. Apple refused. They said at the time that iPhones were secure and that it was not possible to crack the pin code and guessing would brick the phone. Many suspected that Apple did not want to admit that it was possible to access a locked iPhone, and this was reinforced when the FBI announced they’d hired a private company to unlock the phone. Clearly, iPhone security can be bypassed, but what about the Apps themselves? Are they safe?

Are phone Apps secure?

As we said earlier, Arxan showed that they are not, and worse,  the data apps store is insecure. This should be of concern to all businesses that use mobile app. Any report of loss of customer, employee or financial data could be very damaging to the business both in financial and reputation.

Importantly, due to the insecurities in mobile phone data, hackers seldom need physical access to a smartphone to steal data: 89 percent of vulnerabilities can be exploited using malware. With mobile apps exposed to high levels of security vulnerability, corporate data is at risk simply from the apps employees download and install on their phone. When Android and iPhone apps store data on phones that can translate to the very definition of a security lapse. IT departments are allocated big budgets for security yet basic security is at risk when apps owned by employees sit on devices that can get lost or stolen and easily compromised.

Downloaded, locally installed apps is archaic, why are we still doing this?

In the 1990s we downloaded and installed applications on our PC’s. It was insecure, and businesses reacted by locking down business PC’s, yet this is exactly what is happening in 2023 on mobile phones!

Today, businesses rarely download let alone install apps on network PCs, instead most use use secure cloud applications. These run in the cloud and  do not store any data on the PC. In contrast, mobile phone

Mobile Phones use a 1990s PC concept, it’s time to modernize

In the 1990s we downloaded and installed applications on our PC’s. It was insecure, and businesses reacted by locking down business PC’s, yet this is exactly what is happening in 2023 on mobile phones!

Today, businesses rarely download let alone install apps on network PCs, instead most use use secure cloud applications. These run in the cloud and  do not store any data on the PC. In contrast, mobile phone

Why download phone apps when cloud apps are more secure?

In 2007 when Apple first released the iPhone, mobile phones used 2G which ran at 50kbs and was too slow to run cloud apps. Today, 4G delivers real-world download speeds of around 100Mb/s, and 5G is even faster. Downloaded apps made sense in 2007, but today’s mobile data speeds are so fast that apps can run in the cloud, which provides an easy answer to the question of how to secure our mobile apps.

“Downloaded apps are inherently high risk as they rely on using the local resources”, says Phil Jones, a senior product specialist at Timewatch. “It’s easier to make a phone app faster by storing data locally, it’s much harder and much more expensive to develop a fast web app”, says Jones, “but that is what we did. We believed it is worth the effort to create a system that is secure as well as fast, but tech companies don’t.”

How cloud phone apps ensure security on employee phones

Cloud applications for business provide high levels of data security to their customers. Providers such as Amazon AWS and Microsoft Azure use security measures (and budgets) that far surpass those that any corporate IT department can. Data is encrypted on disk and end-to-end, across the cloud, through the browser and only decrypted on the verified user’s PC), which is secured by single-sign-on. Secure providers demonstrate their commitment to security through certifications such as SOC2 and the more stringent ISO 9001 & ISO 27001 certifications.

“Businesses employee a raft of techniques to ensure data security,” says Graeme Wright, Timewatch CEO, “company PC’s connecting to networks secured by active directory, using cloud applications with end-to-end data encryption, SSO, from ISO 27001 providers with auto-failover and  redundancy etc. these are commonplace. Yet when it comes to mobile phone app security, businesses seem to drop the ball! Many have employees download business apps onto their own devices. It’s a security risk, it’s like securing your house with the worlds best, most expensive locks, but then leaving all the windows open.”

Mobile business apps have access to business data, information such as customer, employee, project, financial data and IPR. Personal phones are usually outside the security of the company network, where people can download and install apps, including malware. Company data is at risk if the phone is lost or stolen, but it is also at risk through malware.

In contrast, a web application stores nothing on the device. If an employee’s phone is lost or stolen, there is no security risk.

“Cloud software is incredibly prevalent in Macs, PCs, and tablets but when it comes to phones, people seem stuck in the mindset that they must have a downloadable app,” explains Wright. “Cloud web apps for mobile devices provides a secure solution without the need to purchase a business phone for each employee. This is what we did, and in time, we believe this will become the norm.”

How Cloud apps are more secure

“There is just no need to risk corporate data by using downloaded Apps,” says Wright. “With a well designed web app like Timewatch®, and the speed of phones on 4G, 5G, why risk security by using downloaded and installed apps? Use a cloud app, just like you do on a PC or laptop.”

“A personal phone is one of businesses greatest security risks,” explains Wright. “The Cloud affords better security with end-to-end encryption and data storage is unquestionably safer in the cloud than on a private individual’s phone. With our mobile web apps, if anyone loses their phone there is no data lost as there is nothing stored on your phone. All corporate data is safe and sound in the Cloud.”

Timewatch recommends not using downloadable apps on your device at all. Radical? Instead, we suggest using a web-based app. When an employee uses a personal device that is not secured by the organization’s network security it is at risk. Users often use weak security procedures which are vulnerable to threats. Web apps add another layer of security if a device is lost. Simply change the passwords and data is protected.

Can apps on a business device be hacked?

A business device is more secure as it is secured by the company’s network and if lost or stolen access to the company network can be blocked however it can still be hacked if lost or stolen and any data on the phone can be accessed and any data stored on the phone is accessible.

Businesses using mobile web apps, irrespective if they are a private or company phone, are equally as safe. If the phone is lost or stolen, there is no data stored on the phone, so even if the device can be accessed, there is no data to be stolen. Also, there is no risk of accessing company applications as the device and the user credentials to access company cloud apps can be reset.

What are our tips to keep secure?

The best way to secure mobile phone apps for business is to employ the same technique as is used for secure network apps, plus:

• Stop using downloaded apps for business purposes and use cloud apps designed for mobile devices instead
• Don’t use software systems that have downloadable phone apps
• Secure mobile phone access with SSO
• Ensure software providers are at least SOC2 compliant and ideally ISO 9001 / ISO 27001 compliant
• Use Single Sign On, if this is not possible implement a rapid procedure to lock business App accounts should an employee lose a phone or device
• Although if you take these measures, providing employees with company devices should not be necessary, if you can, this will increase security

The solutions are very simple. We could make a TikTok explaining it, but that might be a national security risk!

Click here (it’s safe!) for more information on secure Timewatch professional services products for your business.