Technical security analysis of the mobile app “TikTok”
The suspicion of potential security risks when using the “TikTok” app from the Chinese manufacturer ByteDance has led to this app being banned on public authority equipment in numerous countries. Both the European Commission and the European Parliament issued a ban on the app from their employees’ work mobile phones at the beginning of 2023. The Swiss authorities and companies must likewise ask themselves how to deal with the potential risks when using the app. The National Test Institute for Cybersecurity NTC took the initiative at the suggestion of the National Cyber Security Center (NCSC) and tested the “TikTok” app.
The National Test Institute for Cybersecurity NTC tests what is otherwise not tested. At the suggestion of the National Cyber Security Center (NCSC), the NTC took the initiative to subject the “TikTok” app from the Chinese manufacturer ByteDance to a technical security analysis.
In the analysis, test conditions that were as close to reality as possible without special protective measures were implemented. The examination focused on the protection of personal data and security risks. The aim was to estimate the risk of possible monitoring and espionage when using “TikTok” on Android or iOS devices. Protection against manipulation, censorship and the political influence of opinion were not included in the analysis. Likewise, within the time budget of around 40 person days, neither technical long-term observations nor all the software components could be analyzed in detail.
The NTC’s tests showed that the behavior of the “TikTok” app basically meets the expectations of a social media app. No indications were found that users were being monitored. This would nevertheless be technically possible, due to the extensive permissions that the user can grant to the “TikTok” app. In addition, vulnerabilities could be activated or occur as a result of updates under certain circumstances.
What is conspicuous is that location data is often transmitted. In addition, the chat messages sent via “TikTok” are not end-to-end encrypted. On the other hand, it was established that part of the communication with the TikTok backend server, whose contents are not known, is additionally encrypted.
Users should therefore not grant any or only restricted permissions to the “TikTok” app, close the app after use, never share contact data with the app, and use other channels for business communication.
In summary, the National Institute for Cybersecurity NTC recommends that the use of the “TikTok” app shall be critically questioned, in particular on devices that are used in a business and government context. This applies in principle for all apps that are equipped with far-reaching permissions and are only of limited use in a business and government context.
Media Releases to download: