The National Test Institute for Cybersecurity NTC in Zug has examined the Chinese TikTok app for risks and has come to a conclusion that is anything but reassuring. But the federal administration in Bern doesn’t seem to take the warning from the independent IT security experts too seriously, relying instead on self-responsibility.
What are the biggest risks with TikTok?
The National Testing Institute for Cybersecurity NTC has published a nearly 40-page technical security analysis of the TikTok app (see resources). The auditors recommend taking a critical look at the use of the mobile application, “especially on devices used in a business and official context”. Use should be “limited to the minimum necessary”.
The main findings:
- During the app analysis, the auditors found no evidence of user monitoring. But this is not a reason to give it all-clear and you can “No blanket declaration of no objection” hand over.
- A secret monitoring of TikTok users be due to the extended device permissions of the application in principle technically feasible.
- «The app could already contain hidden monitoring featuresthat are only activated under certain conditions (e.g. at certain locations or at certain times).»
- The examiners thought so too a small part of the communication with the TikTok servers (backend) is also encrypted become. The exact content of this communication is not known and it is unclear what information “might escape” through this channel.
- In addition, due to the frequent updates, hidden functions can be “upgraded” almost unnoticed, the cybersecurity experts emphasize. This actually applies to any app and especially apps like TikTok “with far-reaching rights”.
- One of the “high risks”. the transfer of user contact information to the Chinese technology group Bytedance. While this data is not made available in plain text, it should be assumed that ByteDance can reconstruct it.
- It is also problematic that TikTok on iPhone every time the exact location of the device and send this information to Bytedance to steer.
- In addition, the app – even if it only runs in the background – connects to Bytedance’s servers once an hour, which, based on the IP addresses, results in an estimated Movement profile of the user result.
- Finally, it should be borne in mind that the chat messages sent via TikTok (unlike Threema and Co.) not end-to-end encrypted Are.
In terms of content, the idea of a national testing institute, according to the NZZ, came from the sector association ICT Switzerland. Stated goal: To increase security in the supply chain of IT products. Time and again there are cases “where loopholes are built into products used, for example, by intelligence services”.
How has the TikTok app been studied?
According to the announcement, during their analysis, the NTC experts “made sure that the test conditions were as realistic as possible without any special protective measures”. In other words, they wanted to trick any protection and concealment mechanisms that the developers might have integrated into the app.
The following app versions were examined:
- Android: 28.3.3
- iOS (iPhone): 28.2.0 and 28.4.0
NTC test manager Tobias Castagna told Watson that due to the enormous amount of time and staff, it was not possible to test the app’s functionality down to the smallest technical detail. In other words, no reverse engineering has been done.
What has NOT been investigated?
The NTC writes:
- The “protection against manipulation, censorship and political influence of opinion” was not the subject of the analysis.
- In addition, due to time constraints, neither long-term technical observations nor a detailed analysis of all software components could be performed.
The NTC report emphasizes that the review is “a snapshot”. Any changes made to the app by the developer before or after could not be captured.
Will the federal government ban the TikTok app?
It doesn’t look like that.
The Federal Chancellery advises federal government employees to generally be cautious about using social media apps such as TikTok, the NZZ reports. A newly created leaflet on the subject reads: “Give the apps as few permissions as possible.”
While several European countries, the EU, the US and other partner countries want to play it safe and have banned the TikTok app from companies’ mobile phones, Bern seems to have no reason to act.
The NZZ summarizes the Federal Chancellery’s argument that the valuable company data on company mobile phones would be processed in an isolated environment, a so-called sandbox. This protects this sensitive information from being accessed by the TikTok app.
However, this protection is limited. “The Tiktok application can still access the location data of the company’s mobile phone or private contacts.” In addition, the camera and microphone are not protected by the sandbox.
Sources
- nzz.ch: Tiktok on company mobiles: Swiss test center sees risks in using the video app
- ntc.swiss: Technical security analysis of the “TikTok” mobile app by the National Testing Institute for Cyber Security NTC (media release, PDF)
- ntc.swiss: Technical Security Analysis “TikTok” Mobile App (Report, PDF)
Source: Watson
I’m Ella Sammie, author specializing in the Technology sector. I have been writing for 24 Instatnt News since 2020, and am passionate about staying up to date with the latest developments in this ever-changing industry.
