The scrutiny surrounding TikTok has pinpointed one of the main risks related to mobile apps, namely their ability to collect large amounts of data and metadata sent to storage locations worldwide. All mobile apps send data somewhere, and it is essential that this is understood and considered. For example, upwards of 60% of internet traffic now originates from mobile devices, making them the prime target for data collection and surveillance.
Given how rapidly the change in perception towards TikTok occurred, it is clear we are living in a security and privacy-conscious world where governments and businesses have acted fast to get the app banned. As it stands, the UK, the US, Canada, France, Netherlands, Australia and New Zealand have all taken steps to ban the Chinese-owned app from federal government devices – and this list will likely continue to grow over the coming months. The French government even went further by banning ‘fun’ apps like Netflix, Twitter, Candy Crush and Instagram. The European Commission, European Council and European Parliament have ordered staff to remove TikTok from work and corporate devices. In the UK, the BBC urged staff to delete the app, a move that followed from DR, Denmark’s national broadcaster, which advised its staff not to have TikTok on phones due to security concerns and warnings from Denmark’s Centre for Cyber Security.
While these moves have not been taken lightly, the notion of apps collecting data is nothing new, so why is TikTok different, and why should businesses take notice?
Accessing Sensitive Data
Firstly, TikTok is Chinese owned and so must adhere to Chinese law. Furthermore, the Chinese government has a reputation for influencing businesses based in China, including ByteDance, TikTok’s parent company. In fact, research on TikTok revealed the app was communicating with IPs based in China in 2020. While the same research was recently repeated and found the app now only communicates with IP addresses within the US, it is not unreasonable to assume such information could have been shared with the Chinese government, raising concerns for organizations within highly regulated industries and government agencies.
With hybrid working becoming more widely adopted and the introduction of bring your own device (BYOD) to work policies, there is an increased likelihood that organizations have unsecured and unmanaged devices that have apps like TikTok installed, connecting to the network and accessing and potentially sharing sensitive information.
Naturally, this is a worry for IT and security teams because the traditional corporate perimeter has been expanded to allow employees access from anywhere, meaning visibility is more difficult while the controls have become largely obsolete. This situation is known as shadow IT, whereby individuals interact with unsanctioned apps and mobile devices with corporate information, significantly increasing the risk to data and the wider network. Further awareness is required on mobile app configuration to tackle this critical issue as there may be underlying security risks associated with apps even if, on the surface, they don’t seem malicious. For instance, they may connect with numerous back-end domains, IPs and URLs, which could be hazardous.
Implementing Solutions
Organizations wanting to take the necessary steps to effectively protect their data and privacy need to implement dedicated solutions that can enforce company policies like a TikTok ban and help them understand the exposure risks posed by many other popular mobile apps and how they can protect themselves.
To do this effectively, organizations need dedicated mobile endpoint security and mobile device management technology that can add apps to a deny list, preventing them from being accessed. If it is downloaded, then alerts will be raised to the security team that a user has downloaded a non-compliant app on the device while also removing access to corporate systems and data until the application has been removed. This is an effective measure for managed or unmanaged iOS and Android devices. An additional layer of protection involves implementing high-level domain restrictions that can deny any communication between an endpoint and a domain that may be deemed a risk.
Threat actors will continue to target users who connect to complex ecosystems of apps from personal and company-issued mobile devices, which can lead to stolen data and unwanted surveillance. The TikTok ban will likely begin a shift in perception towards what apps we can access in the work environment. This, in turn, will necessitate organizations to take action to execute the required endpoint defense strategy to handle the myriad of mobile threats.
Image credit: Sergei Elagin / Shutterstock.com