New
Lookout Endpoint Security
Endpoint Security

December 14, 2022

-
min read

Organizations Are Banning TikTok. Should You Do the Same?

In today's security conscious climate, countries and organizations worldwide waste little time debating whether a risky mobile application should be banned — regardless of its popularity. With security and data privacy at the center of public and private sector conversations, these issues typically come about when an app is found to have concerning data collection and handling practices. 

For a couple of years now, the popular social media app TikTok has come up time and time again when discussing data privacy concerns. When the issue first came up in early 2020, Lookout ran an analysis of the app and found that it was indeed communicating with dozens of IPs in China, and even one in Russia. 

While it’s impossible to tell exactly what data was being sent to these locations, from a U.S. national security perspective this was highly concerning. Because the Chinese government is known to have direct influence over organizations based in China, including TikTok’s parent company ByteDance, it’s reasonable to think that American data could be shared with the Chinese government.

It does look like the situation has improved since 2020. Lookout ran the same analysis on December 13, 2022 and found that the app no longer communicates with any foreign IP addresses. What’s noteworthy is that the volume and types of data being collected is still significant and could pose a legitimate concern for highly regulated industries like state and local government agencies. 

In March 2020, TikTok was found to be communicating with IP addresses from a large number of countries, including dozens in China, and at least one in Russia. In December 2022, it now only communicates with IP addresses within the U.S. (Source: Lookout)

It’s with this concern in mind that a number of U.S. state governments have banned employees from having TikTok on government-owned mobile devices, including agencies in Alabama, Utah, Texas, Maryland, Nebraska, South Carolina, and South Dakota. 

While this is a start, what agencies and departments need to keep in mind is that this only covers a subset of devices. With hybrid becoming more widespread, and the introduction of bring-your-own-device (BYOD) programs, a majority of employees are likely using unmanaged personal devices. 

Why is TikTok’s data collection a security threat?

The fact of the matter is that TikTok collects much of the same data as other popular apps — especially those that want to provide a curated experience. The difference here, though, is that TikTok is owned by Chinese company ByteDance, which needs to adhere to Chinese law. 

One piece of legislation that is a cause for concern is the Chinese National Intelligence Law introduced in 2017. The law states that “any organization or citizen shall support, assist and cooperate with the state intelligence work in accordance with the law.” In simpler terms, any organization based in China is expected to share data with the Chinese government if it’s considered a national security issue. 

With that in mind, think about the plethora of data that TikTok is collecting for the devices it’s installed on, such as device brand and model, operating system (OS) version, mobile carrier, browsing history, apps installed, file names, types, keystroke patterns or rhythms, wireless connections, and geolocation. TikTok's own privacy policy describes collecting and analyzing user personally identifiable information (PII) and data gathered from other sources. This can include age, image, personal contacts, relationship status, preferences, and other data collected through a single sign-on (SSO) feature that allows users to sign into TikTok from other platforms. 

Geolocation alone can be a national security concern, as we saw when U.S. soldiers were mistakenly posting their runs at a hidden U.S. base on the popular exercise app Strava. This is why the U.S. Navy and other military organizations have already banned TikTok, and now states are following suit. 

In addition, there is concern over whether the Chinese government could influence the content that Americans see. Whether it’s producing content themselves or altering the algorithm, we’ve all seen the influence that social media can have over public discourse including politics. Having a more direct connection to TikTok means that the Chinese government could have a more direct impact on users than the way Russia used Facebook to interfere in past U.S. elections. 

How to block untrustworthy apps like TikTok

If you’ve decided to block your users from being able to access TikTok, or any other untrustworthy app, the challenge then becomes: how do I do that? TikTok is believed to use hundreds of different content delivery networks (CDNs), which could make it difficult to control, so an approach like DNS filtering wouldn’t work here. And like I mentioned earlier, limiting access from managed devices is only half the battle, considering all the unmanaged personal devices people use.

At Lookout, we can take a dual-pronged approach, the first being app identification and access control. By using Lookout Mobile Endpoint Security and a mobile device management (MDM) solution, we can add TikTok to a deny list. This means block access to customer domains, by adding TikTok to a deny list. If the app is detected on a device, an agency could flag it for non-compliance and block access to customer domains, single sign-on (SSO), and enterprise apps and data. The user would need to remove TikTok before regaining access.

The second approach blocks TikTok by flagging a set of root domains. By doing so, Lookout Mobile Endpoint Security can restrict unmanaged BYO devices from accessing TikTok via browser as well as the app itself.

This is a walkthrough of how administrators using Lookout Mobile Endpoint Security would be able to block TikTok from both managed and unmanaged devices.

Minimizing risk from BYOD is easier said than done

As hybrid work becomes permanent, IT and security teams are losing the visibility and controls that they used to have within corporate perimeters. You’re probably already familiar with shadow IT, where users are increasingly using unsanctioned apps to interact with corporate data. Mobile devices need to be part of the conversation. 

With traditional tools, you have no visibility into the activities on a tablet or smartphone. With MDM, you’re able to control some things, such as the presence of apps. But even there, you don’t have any insight into the device’s health. This issue is exacerbated on the BYOD front where you have no enforcement capabilities at all.

TikTok is just another app that each organization needs to decide whether it poses a risk to its corporate data. The lesson to be learned is that securing and enforcing policies on mobile devices requires a solution built from the ground up for modern devices.

To better understand how you can protect your organization, take a look at Lookout Mobile Endpoint Security page. Lookout has a Joint Advisory Board Provisional Authority to Operate (JAB P-ATO) with the Federal Risk and Authorization Management Program (FedRAMP), was the first mobile security solution to achieve StateRAMP Authorization, and has a Level 2 certification from the Texas Risk and Authorization Management Program (TX-RAMP). And by leveraging the world’s largest mobile dataset, our solution can detect and respond to the entire spectrum of mobile threats in real time.

Two colleagues looking at important government information on a computer screen

Lookout Security Platform is FedRAMP JAB P-ATO

With FedRAMP JAB P-ATO, the Lookout Security Platform supports a more rapid and seamless path to implementing a comprehensive Zero Trust Architecture.