Recently an FCC Commissioner sent a request to Apple and Google to ban TikTok from their platform due to the serious security risk it creates. The request is a 4 page letter sent to the app store companies and is found in the tweet from the official Twitter account for the FCC Commissioner:

https://twitter.com/BrendanCarrFCC/status/1541823585957707776?cxt=HHwWgICgtb2Y1OUqAAAA

The letter describes many instances of the TikTok app circumventing security measures on phones and providing confidential data to its country of origin, China. It also shows how the spokesperson of TikTok tried to allay fears by stating that all U.S. personal data was directly routed to a server located in the U.S. but did not declare that the data was inaccessible from China. One of the functions found in the app was the ability to save and send any copied data, as well as stored passwords. Also, Keylogging was discovered, so the act of typing in your password or payment credentials could result in that data potentially being sent to another country.

The FCC Commissioner was also interviewed and the main points of the interview were posted in this article:

https://www.axios.com/2022/11/01/interview-fcc-commissioner-says-government-should-ban-tiktok

The interview also linked to other news pieces regarding TikTok and how its data can be accessed from China (note that this article is behind a paywall and may not be accessible to you):

https://www.nytimes.com/2022/06/29/technology/apple-google-tiktok.html

A Forbes article that was linked talked about how TikTok tracks the approximate location of each user via IP address monitoring:

https:/www.forbes.com/sites/emilybaker-white/2022/10/20/tiktok-bytedance-surveillance-american-user-data/

For these reasons, TikTok is presenting a very real and dangerous security risk, especially for work devices. A work device should not have TikTok installed on it, and any device that accesses work related documents or uses work credentials should not have TikTok installed.

While many security applications can protect users from malicious attempts at stealing their data, the user can circumvent these security measures by intentionally installing software on their device that directly gathers the confidential data and sends it out to a 3rd party. When that data stealing software is approved by companies such as Google or Apple, it is difficult to know that you have compromised your data security.

Special thanks to our friend Dave Hodgert at 10D Tech for sharing the story on this alert.

If you have any questions or concerns, please do not hesitate to contact us at support@citarasystems.com.