TikTok: The Banning Won’t Stop

Intrusion Team
Jan 19, 2023

A wave of TikTok bans that started in South Dakota back in November 2022 has now swept across the United States. As of this writing, more than half of US states have already issued bans against the most downloaded mobile app in the world. The move to ban TikTok has crossed party lines, with a total of 27 states including Maryland, New Jersey, Texas, Utah, and several others implementing measures that mostly prohibit the app from state-owned devices. 

Similar measures have also been adopted by the US military and some federal agencies. Some of these bans aren’t limited to TikTok. They apply to other Chinese-owned apps, like Weibo and WeChat, as well. This course of action is similar, albeit to a smaller degree, to India’s sweeping ban on Chinese apps in 2020. A total of 59 Chinese apps were covered by that ban. 

So why are many US government officials hell bent in preventing citizens from using TikTok?

Why US States are Banning TikTok

The main reason lies in TikTok’s perceived threat against national security. Many US officials fear that the Chinese government has unmitigated access to TikTok user data and can therefore use the app to conduct surveillance and other exploits against US citizens. Although TikTok is technically a US entity subject to US laws, it’s owned by ByteDance. 

ByteDance happens to be a Beijing-based company in which a state-owned enterprise has a minority stake and a Chinese government official is sitting at its board. It’s not so far-fetched to imagine that the Chinese government might wield influence on TikTok through ByteDance.

Some ByteDance employees even have access to TikTok user data. In fact, four ByteDance employees were recently caught conducting a surveillance campaign by sifting through TikTok data. Although those employees have since been fired, the incident further escalated fears that TikTok somehow gives the Chinese government a pathway to US citizen data.

TikTok collects profile information such as username, date of birth, email address, telephone number, as well as user content and behavioral information. Considering how widely used TikTok has become (over 1 billion users and counting), all that data can provide a treasure trove of information about a country’s citizens, including how they behave and react to certain content.

TikTok user information is already used to drive advertising and marketing campaigns. However, unmitigated access to user information and other metadata as well as greater control over the platform itself can give the Chinese government an undue advantage in pushing propaganda to US citizens.

That said, some organizations welcome these bans for reasons unrelated to national security.  

Another Reason to Ban Apps Like TikTok from the Workplace

It’s not just the collection of TikTok user data that is a concern, but data outside of the app that may be collected as well. There have been instances where seemingly innocent apps are actually conducting malicious activity—like browser hijacking—in the background that doesn’t just affect the app you are using, but other apps you didn’t intend. So, what does this mean? This means that malware programs could be installed on your device that infect the device as a whole and you may not even know you are compromised. Or, perhaps of greater concern to the enterprise, surveillance activity could be occurring that you are unaware of. The infamous Pegasus spyware falls into this category. They may gain footholds into the device that allow them to spy on user activity and harvest other data they weren’t granted permissions to. Imagine your employee logs into their work email on their personal device where they had this malicious app installed and now unauthorized parties have harvested those credentials.

This is a very serious reality that many organizations aren’t aware of, especially those that may leverage a Bring Your Own Device (BYOD) policy. It is important to realize that mobile devices are an extension of an organization’s endpoint. Regardless of the mobile device policy your organization has in place, there are many ways bad actors can leverage employee devices to penetrate your network. Many companies have long held a negative view of TikTok and other social media apps, especially when they’re brought into the workplace.

Internet users worldwide spent an average of 147 minutes per day on social media in 2022, an increase of 2 minutes per day compared to the previous year. If your employees spend more than 2 hours on social media and some of that time is done during working hours, their productivity and your organization’s overall productivity can take a hit. This issue has gotten worse with the growing adoption of Bring Your Own Device (BYOD) practices. Even pre-pandemic, 95% of organizations already allowed employees to bring personal devices to work.

The influx of personal devices into corporate networks can also give rise to a host of other security issues. 

Personal Devices In Corporate Networks – What Can Go Wrong?

When personal devices are brought into the workplace, you have little control over what users do with them—e.g., what apps they install, what files they download, and what internet-based services they connect to. For all you know, users may be (deliberately or inadvertently) installing malware, downloading a trojan, or connecting to a malicious site.

While simply browsing the internet on their personal devices, users can be subjected to adware or malvertising. Or while reading their email, they can fall prey to a phishing attack.

Since those personal devices likely have access to your corporate network (after all, workers are supposed to be accomplishing work-related tasks with them), whatever threats they interact with may find their way to other endpoints in your network. If a user’s device somehow gets infected with ransomware, for instance, you could have a ransomware outbreak in your hands soon after.

Users bring their personal devices wherever they go—to the coffee shop, to the train station, to the airport, home, etc. That extends their—and, consequently, your—attack surface. Again, whatever threats they’re exposed to can eventually be brought back to your workplace once those personal devices reconnect to your network.

To mitigate these threats, you need an endpoint security solution like Shield Endpoint that can block malicious connections, strengthen your Zero Trust initiatives, and enable safe remote work. What makes Intrusion Shield unique is that the technology monitors both inbound and outbound traffic. Shield can identify threats within the environment and block outbound malicious pings—yes, that includes nefarious activity occurring ‘behind the scenes’ in those risky mobile apps.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.