The Wrap: TikTok can circumvent Apple privacy protections, access full user data

Antoinette Siu, The Wrap:

TikTok can circumvent security protections on Apple and Google app stores and uses device tracking that gives TikTok’s Beijing-based parent company ByteDance full access to user data, according to the summaries of two major studies obtained by TheWrap that appear to confirm longstanding concerns raised by privacy experts about the popular video-sharing app.

The studies, conducted by “white hat” cybersecurity experts that hack for the public good, were completed in November 2020 and January 2021. TheWrap verified the studies and confirmed their conclusions with five independent experts.

When asked by TheWrap, reps for TikTok — whose parent company ByteDance has had ties to the Chinese government — declined to confirm or deny the validity of the research.

Most alarming of all:

The summaries of the studies, shared exclusively with TheWrap, suggest that TikTok is able to avoid code audits on the Apple and Google app stores. More alarmingly, the research found that TikTok is capable of changing the app’s behavior as it pleases without users’ knowledge and utilizes device tracking that essentially gives the company and third parties an all-access pass to user data. This is highly unusual and exceeds the abilities of U.S.-based apps such as Facebook, Twitter and other social media platforms.

And:

Examining the backend, researchers also found that the app essentially acts like a web browser. It uses a JavaScript bridge, the programming language for the web, to directly pull the app from TikTok’s servers when it’s launched. This makes the security of the app hard to assess, because that can keep changing, according to Lockerman at Conquest Cyber. Theoretically, it also means TikTok can change its app behavior dynamically or test certain things on the fly without pushing an update to users.

If true, how is this possible? How does the TikTok app get through the App Store review process?

A spokesperson for TikTok declined to address the studies directly, but told TheWrap that the company adheres to app store policies, adding that its product meets information security standards in the U.S., the U.K., Ireland, India and Singapore and recently received certification by the ioXt Alliance for meeting standards and commitments to cybersecurity and transparency. In fact, TikTok said it works with the ethical hacker community and researchers through a program called HackerOne to test its product.

So is this much ado about nothing? Or is TikTok getting away with privacy-evading practices? And, if the latter, how is this getting past App Store reviewers?