| Executives July 21, 2020
July 21, 2020
By Hank Schless
If you’ve been paying attention to the news lately, you probably heard about the outrage surrounding the Chinese-made video sharing app TikTok. Countries and organizations around the world are looking to ban the app over concerns about the user data it collects and the way it handles it.
It turns out the suspicions are well founded. According to a Reddit user who reverse engineered the app, TikTok’s data-collecting capabilities far exceed those of other social media platforms, such as Twitter and Facebook. Our analysis revealed that the app was sending this information to servers based in China and Russia, two countries that reportedly have track records of monitoring their own citizens. In late 2019, the Australian Strategic Policy Institute reported that TikTok’s parent company ByteDance works directly with the Chinese government on propaganda and surveillance using Douyin, the China-only version of TikTok.
The security conversation here is not just about TikTok. On a higher level, it’s about a user’s personal data privacy and what is collected from their personal device. Large employers such as Wells Fargo have banned TikTok from company-owned mobile devices, but that step alone won’t prevent tablets and smartphones used for work to be free of TikTok.
Today, employees demand the freedom to use their personal tablets and smartphones for work, but they also expect their privacy to be respected. As a result, companies don’t always have the ability to monitor and control the mobile apps employees use. With the line between personal and work blurring, the old ways of securing organizations are no longer relevant.
It was not that long ago when companies were still handing out corporate devices to their employees and everybody worked at the office. What employees did in their spare time and on their personal devices were of little concern or consequence to the company. To protect from risks like a phishing attack, the company focused on inspecting email received and opened on desktop and laptop computers.
That’s not true anymore. Your employees are using their personal mobile devices to access work email as well as the cloud apps that run your business and customer data from anywhere and on any network. When they install apps like TikTok on their devices that they use to access business apps, it exposes your organization to risk that you must assess and defend.
Cyber criminals are always looking for opportunities and mobile devices are very attractive targets. Not only do they carry sensitive information such as passwords and banking information, but the device itself collects a lot of data on its own. Mobile apps have also enabled attackers to deliver phishing links in countless new ways from Facebook to WhatsApp to Tinder.
In the case of TikTok, we saw malicious actors tap into the app’s popularity by delivering malware through mobile phishing campaigns. Within days of India banning TikTok from the country’s App Store and Google Play store, a third-party app called “TikTok Pro” appeared. The new app turned out to be a toll-fraud malware that used its victim’s phone to send text messages to other devices without the device-owner’s knowledge.
The speed in which malicious actors created a fake app and took advantage of the ban is eye opening. But what TikTok Pro also exposed was how easily phishing campaigns can be launched to target mobile devices.
Traditionally, we think email when we talk about phishing, but malicious phishing links can be delivered to mobile devices in countless ways. According to a tweet by a cybersecurity agency under India’s Maharashtra state government, TikTok Pro was sent around through social media and messaging platforms.
Your employees’ desire to use their personal devices and their demand for privacy are not inherently bad things. By providing them greater flexibility and not prying, it means they are likely to be happier and more productive.
In the same way Indian users were tricked by mobile phishing campaigns to install TikTok Pro from sites other than an official app store to satisfy their desire to use the banned app, your workers can easily go around your security measures and do what they like.
Without the ability to manage your employees mobile devices, you have to rethink the way you secure your business apps and data when you also allow employees to access them with their personal tablets and smartphones. A truly comprehensive mobile strategy will include mobile security solutions that have the ability to identify what a threat looks like and does so without needing to inspect content on the device.
To better understand how you can protect your organization in this new reality, visit lookout.com. Our data-driven mobile security platform can protect and detect mobile threats in real-time.
Hank Schless Senior Manager, Security Solutions