There are growing concerns about the potential for the Chinese social media app TikTok being used to invade our privacy. Lawmakers particularly in the United States are worried that the app can be leveraged by the Chinese government to gather information about government employees, military personnel and even political figures and use that information for intelligence purposes.
There is an excellent write up on Lawfare entitlted Unpacking TikTok, Mobile Apps and National Security Risks that goes through the direct risks around leaking of data useful for spying operations to the issue of censorship on the platform. Last of course is the issue of misinformation, with the possibility that the Chinese government could leverage their access to TikTok to enagage in campaigns to influence other countries.
Is the problem simply that TikTok is a Chinese owned app with links to the Chinese government, or are there bigger issues here that perhaps are being ignored in favour of Anti Chinese rhetoric?
Mobile device operation system vendors are increasingly aware that their platforms are a leaky sieve when it comes to information about the users of their devices. Until recently a mobile app was generally able to get whatever information it wanted and do pretty much whatever it liked with it. Only in the last year or so have vendors started to put in place controls to allow users to more easily control what information a mobile app collects from the device.
There are two big issues here that apply to the entire ecosystem, not just TikTok; First, most users do not dig into the settings of their device and proactively turn off things that are not needed. Second, there is a huge number of older, unsupported devices still in use that don’t even have these privacy controls available.
This brings us to one of the biggest issues around mobile device security; That mobile vendors need to ensure they support their devices for the real world lifecycle of the device, and not an arbitrarily short time frame; Apple lead the way in this regard, with their latest version of iOS, 13, being available on devices as far back as September 2015, while Android based phones typically only get software updates for 2 years with official Google phones getting updates for 3 years.
To put that in perspective, in the Android ecosystem as of March 2020, 9.3% of users were still running Version 6 which was released in 2015. Apple far much better in this regard, with only 1.5% of users on iOS 9 which was last updated in 2016.
Following on from the point above, it’s vital that users are better educated about the settings they now have to control their own privacy. In current versions of mobile operating systems we see options to limit things like location tracking. We’re seeing the O/S proactively prompt users about apps that are getting location data and giving them the option to turn it off completely or to limit it to just when the app is being used.
We still have a long way to go; If you’ve gone looking for the permissions for apps you know it’s still complex, and made more so by the fact that so many users install a huge number of apps.