Serious security issues found in a very popular iOS/Android app

by Alan Friedman / Jan 08, 2020, 12:45 PM

Serious security issues found in a very popular iOS/Android app

TikTok, the widely popular short-form video app, is used mostly by teens to produce lip-syncing videos 3 seconds to 15 seconds in length. Loops as long as 60 seconds can be created and shared. But there have been serious questions regarding the security of the app. Back in April, after the app was the most downloaded social media title during the first quarter (#1 on Android, #2 on iOS), the Peterson Institute for International Economics called TikTok a "Huawei-sized problem." Why? Because the app was developed by a Chinese company. The Peterson Institute's worry was that the app can gather intelligence in the form of location and biometric data and send it to Beijing.

Senators Chuck Schumer (D-NY) and Tom Cotton (R-AR) last year requested in a letter to Joseph Macguire, the acting director of national intelligence, that TikTok be the subject of a national security investigation. The lawmakers wrote that they were concerned about who sees the personal data generated by TikTok users in the U.S. In a subsequent email, Senator Schumer wrote "apps like TikTok...may pose serious risks to millions of Americans and deserve greater scrutiny." The New York Times published a story last November stating that the app is indeed under national security review.

Research firm finds exploits on top-ranked iOS and Android app TikTok

But there are other security issues related to the app. Today, Check Point Research published a report in which it notes that "In the last few months we have seen evidence of the potential risks embedded within the TikTok application." The report also states that the Army has banned the use of the app on government phones after using it to try to get recruits. Check Point focuses on some serious vulnerabilities found in the TikTok app that left some gaping security holes that could have be used against users. These issues could allow a hacker to manipulate and delete the content of TikTok account holders, make private videos accessible to the public, and release account holders' personal information such as their email address.

Check Point Research discovered that the aforementioned issues can take place when a bad actor sends a spoofed SMS to a TikTok member and makes it appear as though it came from TikTok itself. While smartphone users can send an SMS message to themselves that delivers a link allowing them to install the TikTok app, this feature can be hijacked and used to send to unsuspecting users a phony link that could lead their TikTok account to be hacked. The video that accompanies this article, produced by Check Point, shows these different security issues that TikTok users could have been subject to.

This spoofed SMS appears to come from TikTok but does not; it contains a malicious link

According to the research firm, after contacting the developer of TikTok "a solution was responsibly deployed" that allows users of the app to use it safely. In a statement, TikTok security team member Luke Deshotels said, "TikTok is committed to protecting user data. We hope that this successful resolution will encourage future collaboration with security researchers."

The app is owned by Beijing ByteDance Technology Company and the U.S. is reportedly looking at the latter's purchase of Musical.ly. This was an app similar to TikTok and was ultimately merged into the latter after the transaction closed. The deal is being looked at by the Committee on Foreign Investment in the United States (CFIUS). This committee examines foreign purchases of U.S. companies to make sure that there are no national security issues related to the transaction. When ByteDance made the purchase, it failed to clear it with CFIUS which is why the deal is now under review.

For those still interested in installing TikTok, if you're using an iOS device you can download it from the App Store. Android users can install the app from the Google Play Store.

Options

7 Comments

1. notfair

Posts: 776; Member since: Jan 30, 2017

People should not use TikTok at all just because it's plain stupid and secondly the company behind is chinese so don't cry a river if data is lost or leaked overseas.

posted on Jan 08, 2020, 1:27 PM 6

3. Charlie2k

Posts: 175; Member since: Jan 11, 2016

Xenophobic much? This is the same as with Huawei. Zero proof of Beijing spying have been presented. And let's not forget that US have at numerous times been caught spying on citizens from all over the globe. Even on allied ministers and so on.

posted on Jan 08, 2020, 3:03 PM 8

4. Papa_Ji

Posts: 911; Member since: Jun 27, 2016

And what about Facebook, Google, Microsoft and amazon.... which have been proved of stealing data USA is the country of terrirosts and I don't trust terrirosts.

posted on Jan 08, 2020, 3:39 PM 4

7. cevon3239

Posts: 51; Member since: Jan 01, 2020

A chinese making a product doesnt means it is bad. After all most phones are assembled in China if they are coming to US market

posted on Jan 08, 2020, 7:45 PM 0

2. Fred3

Posts: 608; Member since: Jan 16, 2018

Don't worry, days after this it'll be more hacks and viruses for everyone that uses it

posted on Jan 08, 2020, 2:05 PM 0

5. cmdacos

Posts: 4383; Member since: Nov 01, 2016

FUD...

posted on Jan 08, 2020, 4:15 PM 0

6. raky_b

Posts: 440; Member since: Jul 02, 2014

So, a "normal" bug in a app they are trying to represent as som kind of planned security issue, like back door or similar!? Is there anything that works in US intelligence that has IQ higher then size of shoes they wearing? If there is, how come they can't find something in case of TikTok, something in a case of Huawei....something that really shows that THEY ARE DOING something illegal or suspicious...not just guessing what might happen...