Is TikTok a Dangerous App?
Do you remember your childhood telephone number?
Chances are that you can because seven digits is the average amount of numbers that humans can memorize without needing to reference written notes.
Now what about the words to your favorite song?
This time, it’s likely you remember all of the words—and there are far more than seven of them.
This is because music hacks our brain and memory by making it easier to remember things like words, emotions, passions, places, and people.
TikTok is a social media network that uses music to make memes that hijack the brain by inducing “memories,” because using music as a meme has significant psychological impact.
This makes It more likely that thoughts, words, ideas, and sentiments that go along with the music and meme can inculcate themselves within the brain, making TikTok a powerful tool not only for advertising and professional development, but also for social and political manipulation.
According to Redditor u/bangorlol who RSG consulted for this blog post, TikTok collects a massive amount of personally identifiable information on each user who installs the app and/or signs up. This goes beyond the standard collected information, like names, DOB, addresses and phone numbers, and extends to the hardware and devices.
Collected information can include:
Wi-Fi data (things like access point names, hardware ID’s, local IP/Gateway IP, Remote, IP)
Cell data (things like Carrier data and all telephony information via APIs)
Battery capacity and current charge
Device serial number (motherboard + android ID)
Device hardware IDs
A list of all installed applications
Whether your device is rooted/jailbroken
Your Google Ads ID
GPS coordinates (if you enable the GPS permission)
Full contact list (if you import via “find friends”)
Your face (TikTok encourages users to lip sync in front of the camera, which gives them different angles to build facial recognition models)
Your voice
Domestic applications collect similar data, but usually the functionality of the application aligns with data collection relevant to their own internal metrics. TikTok is a lip-syncing app. Information about the local network is unnecessary to collect, especially when it is not being used in the app—just collected by the TikTok’s parent company, Bytedance.. If the data collection were innocent, then Bytedance would not be encrypting it and collecting it natively where the average reverse engineer/hobbyists will not be able to find it.
If the Chinese Communist Party (CCP), for example, wants to target you with remote exploitation tools, TikTok does all the scouting for them ahead of the attack.
Take one of these elements: inventory of other applications installed. If one of these applications has a known vulnerability, they can attack that. Or you have some sort of security application installed that might prevent exploitation or detect the attempts -- great intelligence to have before they begin operations.
Who would be the target of a CCP cyber operation? Start with anyone who speaks out against the CCP, or is in contact with someone else that does. We already know that the CCP hunts Falun Gong members outside of mainland China, so a social network that CCP has access to data from would be invaluable.
Since the application can download and execute remote code, then TikTok can practically do anything they want with your phone, including but not limited to:
Using your phone as part of a bot-net to perform cyber-warfare
Recording all key-strokes
Gathering your username and passwords
Listening in on or making telephone calls
Reading and sending text messages
Downloading all your files and photos
Reading data from other applications (emails, saved passwords, session keys)
Using your phone to deliver malicious payloads to other phones or devices via Bluetooth or Wi-Fi network
Using your phone to record network traffic on private or public networks
Reading your credit card or bank account information
De-anonymize, decrypt and trace VPN, cryptocurrency, TOR, i2p, Freenet traffic
Most of these would require the exploitation of vulnerabilities in the OS or other apps, and they track the information about which applications you have installed on the phone.
Furthermore, it is a particularly useful attack vector for third-parties - hijacking TikTok's ability to run remote code would give those third-parties the same potential exploits as listed above. Which might be faulty by design - implementing a backdoor for state-sponsored hackers to exploit whilst keeping your own hands clean.
Disguising these kinds of attacks en-masse would be difficult, but using analytics data to make targeted attacks on "persons of interest" could be difficult to trace. If typical analytics data reveals:
You have an Arabic language keyboard installed
You have a VPN configured in your system settings
Your GPS shows you are in Xinjiang
Now if TikTok built a profile on you that suggests you may be a dissident Uighur, and this information is sent to CCP by default because you were dumb enough to install the Chinese App, maybe the CCP would make a targeted attack on your phone to see if it can fish for contact information, calls, texts, passwords and do some investigation all about you. Would you even know unless you were watching and waiting for it? They just send hit squads to your house.
Another probable scenario is they publish firmware to the user’s home router using one of the many 0-days that exist for the many vulnerable routers out there, as most people never update their firmware for security fixes. The router is always plugged in, always on, and always connected. Even if it is just being used as a proxy server, that is still a valuable and untraceable resource for further mischief.
Many people are using the app now, and the pandemic and human boredom has caused it to grow much faster than most analysts expected. There are now many high-profile people in positions of relative power within their organizations that are on TikTok. The CCP could easily target these users and individually blackmail them, or compromise their devices/home or work networks to gain access to the company network and servers.
China does this all the time remotely, but with this new user-provided vector, it can open the door for them to gain even more information. A well-coordinated attack on a few banks, internet service providers, utility infrastructure, etc... would cripple us economically, especially during the pandemic, and cause significant devastation.
China invested billions of dollars into this infrastructure, so I imagine they will play the long game and use it as a resource with plausible deniability (i.e. they cannot be directly tied to an exploit).
Resolute Strategies Group is also concerned that the algorithm makes it a perfect social engineering app that twists perspective over time based off how it segments you. For example, right-wing and left-wing TikTok could easily be played to encourage violence or other disruptive activity.
Layered onto the technical ability of the exploits, as well as emerging “deep fake” technologies, the CCP could easily warp an individual’s reality given enough data and time.
People are the weakest link in IT security because people are humans who make mistakes. We leave physical doors unlocked, and we leave digital doors unlocked when we use stupid passwords. If China, which has total control over TikTok/ByteDance's data, were to ask the company to track the movements of everyone with the app who spends more than 30 hours-per-week at an Army base, they can..
So, let us say they have a list of 100 people out of however many thousands are on-base at a time. They can assume those 100 people work on-base and are enlisted. They have those users' contact information, and the ability to remotely control their devices (or know which apps they have installed that have secret exploits that can allow them to hack the rest of the users' device, covering up the initial attack vector).
Maybe they find one person who is underwater on their mortgage and would accept a bribe.. Perhaps they have someone kidnap his wife or kid (because they see where his phone is at night when he is sleeping and knows where he lives) until he does what they want. Maybe they don't encrypt passwords on TikTok and that guy uses the same password on his .mil email that he does on TikTok (bonus: TikTok can sent the IMAP/SMTP requests from his device with the local proxy they're running on it to make it seem like he's using it legitimately).
Intelligence has and always will be about information. The meaningful information is now all digital, and we freely give it away in exchange for a cheap dopamine hit by watching someone lip sync the Veggie Tales theme song on a Chinese data mining app.
TikTok DECISION TABLE
Delete
- Data Collection Practices
- Spyware
- National Security Risks
- Time Waster
- Social Manipulation
Observe
- Watch how enemy works
- Find innovative ideas
- Professional visibility
- Passive observer in trends
- Passive Indoctrination
Participate
- Powerful marketing platform
- Effective messaging tool
- Advertising and political applications
CONCLUSION: There is no safe way to use TikTok without risking PLA targeting and manipulation by the algorithm. The benefits of its use do not outweigh the risks associated with using it.