Image for post
Image for post
The risk of using smartphone apps explained

Don’t Get PWned -The Risk And Benefits Of Using Smartphone Apps

Vincent Tabora
Aug 3, 2020 · 10 min read

TikTok is an app at the center of a heated issue regarding consumer data privacy and security. Banning the app has already occurred in India, while the US and Japan are also considering it (this may have changed after the date of this writing). There have been accusations of the app being used for purposes (e.g spying) that can be a threat to national security. It seems harmless at first since it is used mostly by a younger generation of post-millennials who get a kick out of quick dance and sing along videos with clever effects. TikTok is probably what Snapchat could have been, in my opinion. It uses the same formula for engagement, which is to show quick videos that are really meant for entertainment purposes.

Image for post
Image for post
TikTok is a popular app for short videos (Source TikTok)

TikTok has become even more popular during the Coronavirus Pandemic, as more users have time to use the app during lockdown measures across the world. The app has already been downloaded 1.5 billion+ times, surpassing other social media apps in number of downloads. It was reported to be the most downloaded app on Apple’s iOS App Store in 2018. According to statistics from Oberlo, TikTok has 800 million active users worldwide. With this much user base it is surely going to attract business from content creators and public influencers from other social media platforms.

From the likes of TikTok, how safe are smartphone apps? It has become normal to go to the Play Store for Android users or App Store for iOs users to download any app or games. What many are not aware of is that these apps are free for a reason, and that can be a tradeoff with privacy and security.

The Issues And Concerns

TikTok is drawing scrutiny from India, the US and Japan. The EU is also looking into TikTok’s data privacy policy. GDPR laws govern EU members and that also includes businesses that want to operate under their jurisdiction. The law would apply to TikTok, who have to be more transparent about their data collection policy to users. This comes amidst concerns about TikTok’s data collection and its security and privacy risks. The US has actually been looking into TikTok since 2019, so this is not a new investigation into its practices. Several companies, government agencies and organizations have started to ban the use of the app, including high profile figures and their staff.

These are all valid concerns after it has been discovered that TikTok has been accessing the user’s clipboard, where temporary items are stored. That can include passwords and other sensitive information which users copy and paste when using other apps. This is being done without the user’s permission. This was discovered by testers of the iOS 14 beta version on the iPhone. When TikTok was asked if this was necessary, their response was that it was an anti-spam measure in the app and that they would remove it in future versions. That does not sound too convincing, but they have been called out and they acknowledged it.

In most other accusations, it appears that TikTok is just like any other social media app according to computer science and mobile network researcher Dave Choffnes (Northeastern University). Like Google, TikTok collects device information like location, timezone, smartphone model, screen resolution, operating system and other information that can be voluntarily provided. This does not include sensitive information like social security number or your actual residential address. That type of personally identifiable information would have to be collected with the consent of the user with legality and authorization.

Most of the time the data being collected is also to help provide a better user experience. Analytics can help determine things like custom preferences, nearest server based on location data and even the most used feature on the app. These are ways of helping the users as well, as developers can use this information to build better versions of the app. That does not sound so benign, but there are also nefarious ways the data being collected can be used.

Analyzing App Security

An app would be considered a serious cybersecurity risk and threat if it does the following:

  • Snoop inside user folders
  • Gather confidential data like passwords, credit card numbers, social security etc.
  • Ability to manipulate user’s device remotely
  • Access to user’s logged in accounts without permission
  • Destruction of user data and/or operating system
  • Infection of device to spread malicious apps
  • Install non-approved apps like bots and crypto-mining software

An app that doesn’t behave normally can be considered malware. If they replicate, then they are also a type of computer virus.

When you install an app for the first time on your smartphone, it will ask for certain permissions. First you have to agree to their TOS (Terms Of Service) or agreement when installing the app. Among these are access to your contacts, camera, microphone and even your local gallery of videos and photos. There is no need for alarm yet, because most of these apps will need access to them. If you are using social media your app will need access to your photos so that you can post them. In this case you grant the app permission to access your photos in order for them to be posted on the platform you are using.

What should raise red flags is when the app accesses things on your smartphone without your permission or acknowledgement. This was the issue with TikTok, since you did not specifically allow the app to access your clipboard. Other times an app may want to access your camera or microphone for no apparent reason. Facebook has been reported recording conversations with their app, without the user’s consent. Even Amazon and Apple are not innocent of encroaching into their user’s privacy with products like Alexa and Siri (reported in Bloomberg). Such practices, even if the intent was to help build better features, are unethical because it invades privacy.

Some apps may also do things behind the scenes without your knowledge. This has happened with certain Google Chrome extensions that use crypto-mining software in the background. This is also called cryptojacking, which allows your phone to be used to mine cryptocurrency to the benefit of another user. Other times apps may actually be part of a botnet, which is a network of compromised devices used to take down servers and networks with a DDOS attack.

From your smartphone, you can check the app settings to see what exactly it has permissions to do. On Android you can select Settings -> Apps. All your apps will then be listed. You can go to the ‘Permissions’ setting and see what your app has access to. You might be surprised, but it is good to know this in case you are suspicious of what the app is allowed to do.

Image for post
Image for post
These are the settings for Facebook on an Android smarpthone. Facebook has access to the camera to allow users to post photos directly to their timeline or do a live video stream. If the microphone is enabled by default it could come off as suspicious, but it might be to allow you to record your voice.

User Privacy and Data Protection

Catching all cybersecurity threats today relies on security products like antivirus software. However, if there are no signatures of the threat they are looking for they will not be able to properly identify it. That is why antivirus developers have to be ahead of the game in identifying threats. This is why it is still highly recommended to install any antivirus software for the layer of protection it offers users.

While we cannot identify all malware and viruses, there are ways to prevent them. Don’t install unverified apps from websites that also do not have a verified digital certificate. You can view the site information from the website where you are downloading the app from if it is not available elsewhere. A digital certificate also provides a secure connection to a server using the HTTPS protocol for your security. This encrypts your connection to the server to prevent your session from being hijacked by bad actors. When you look at the site information for a website that doesn’t have a digital certificate you will be notified “Your connection to this site is not secure.” You are more likely, from a security perspective, to get malware from a website that does not use a digital certificate.

This is an example of site information details from a digital certificate. This contains the info about the Medium website’s digital certificate. If the website you visited does not have a digital certificate, be extra careful about its content and downloads.
Image for post
Image for post
A website’s site information when there is no digital certificate.

The site information is the padlock icon on the upper left-hand corner where the website address bar is located on your browser. This gives information about a website’s validity based on the digital certificate. If it is issued by an authorized provider, like DigiCert, it will show you the details about the company or owner of the website. While this makes the website pass as more legit, it is not a full guarantee that the app the company makes is fully secure with no hidden agendas. In this case you want to be sure the developers are verified.

The Play Store and App Store make sure they protect consumers by allowing verified developers. For the App Store it requires being enrolled in Apple’s Developer Program. That is one way to catch bad actors who try to get on the platform. Even if that is the case, some malicious apps still manage to get through as fly-by-night operations. That means after a certain number of people downloaded the app, the company folds and disappears from the App Store. They probably intended on getting their app out in order to go viral to carry out their malicious intents.

Some jurisdictions have come up with laws and regulations for your protection, so there is a system in place. Some examples are GDPR in the EU, PIPEDA in Canada and HIPAA in the US. Apps that clearly violate these laws should not be used or even made available to the public. If a health monitoring app you use requires you to post your medical information and history, you may want to think twice. Under HIPAA law such information is protected and should be shared only with a health care provider or your doctor. If you are sharing that data with the app, and the company that made it shares that information to a third party then it is a violation.

Synopsis

The important lesson here is to always proceed with caution before installing any app. Do the risk and benefit analysis to determine how useful the app is for you, and what you have to lose. For TikTok, you are giving a lot to the platform in terms of your behavior and personal habits. Most are related to what you like based on the music you use for your videos, the audience you are trying to target and even the style of fashion you wear. The data is collected for analytics to gather insights about the user. Most apps are free because they are subsidized to sell us targeted ads and collect data about how we use the app. We are using the apps free of charge, but in return we provide them information.

The app, just like Instagram or Snapchat, wants to know more about you and your audience in order to make more money from ads and marketers. Platforms thrive from their user’s data and from selling ads to their users. It doesn’t require your bank account or social security number, so it is fair to say that you should not be at risk of exposing personal data. Be careful though, because if the app suddenly begins requesting for more details about you consider ignoring it or uninstall the app. Some personal data is public, like your full name. It is when it requests even more personal data that things can get strange. Does your bird watching app really need to know about your social security number? If you get careless and give that data away, consider yourself PWned.

Most TikTok influencers probably have much to lose in terms of monetization should the app get banned. However the average user has nothing to lose if they are mostly just watching the videos others create. Creatives use the platform for engagements to generate revenue for their business. If that is their livelihood then banning the app does have a significant effect on them as well as their community. There are other platforms available, but if the creatives do not have a solid footing yet it means having to start from zero in building up a following on that platform.

The greatest risk in using apps like TikTok is when it comes to security on the macro level. People working in government or agencies that deal with highly confidential information should probably not be using any app unless it has been certified for business or official use only. These users would have a lot to lose if the app is able to gather sensitive data from them. If users are not aware of what is really happening then it should be up to the experts to help decide. It can also be due to political or economic maneuvering. You cannot allow the popularity of one app to compromise security on a grand scale. There have already been talks of what to do as a next step, but I won’t focus on that but rather more on cybersecurity.

Apps were meant to entertain and provide us with something to do, yet we may not fully understand what is going on in the background. Unfortunately they are not under our control. If it is open source you can modify it, but not everyone is a developer or willing to take the time to do these things. Having app developers address these concerns with more transparency and compliance with regulations should become a priority.

The InfoSec Journal

Cybersecurity Issues In The Digital Information Age

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store