TikTok, millennials’ flavor of the month, is coming under yet more scrutiny this week. The app’s alleged spyware tendencies and connections to the Chinese Communist Party are causing some high-profile organizations to ban it.
Plus, the State Department says it’s considering firewalling ByteDance’s baby from the nation’s phones. Just imagine the whining and gnashing of teeth—who will watch your lip-synching malarkey now?
But there’s a serious side to all this (yes, really). In this week’s Security Blogwatch, we MDM ur BYODz.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: D&MO.
Stop the clock
What’s the craic? Geoffrey A. Fowler enquires—Is it time to delete TikTok?
Privacy concerns have been the most viral aspect of the popular short-video social network in the past week. … Mike Pompeo said the U.S. was considering banning TikTok, and warned it puts “your private information in the hands of the Chinese Communist Party.”
…
Why the fuss? TikTok is owned by a Beijing-based company called ByteDance and has fallen in the crosshairs of a global technology battle. … Last summer, there was a similar privacy freakout over the Russian-made FaceApp, a program that takes photos of people and “ages” them using artificial intelligence.
…
The broader concern is that China could collect personal data about millions of Americans — one reason TikTok is banned for use on official devices by the U.S. Army. [But] advising everyone to just delete TikTok out of caution isn’t so simple. … If you mess with Generation Z’s favorite app, be ready for a fight.
…
“Protecting the privacy of our users’ data is of the utmost importance to TikTok,” said spokeswoman Ashley Nash-Hahn. … “We have not, and would not, give it to the Chinese government.” [But] good practices today don’t necessarily mean good practices tomorrow. TikTok’s U.S. privacy policy leaves the door open.
…
TikTok is under national security review by the Committee on Foreign Investment in the U.S. (CFIUS) after lawmakers accused it of censoring some videos to satisfy the Chinese government. TikTok denies that. [But] when your ultimate bosses are in China, it’s hard to resist China’s restrictive view of acceptable speech.
And banned at Amazon, I hear? Katyanna Quach corrects the record—Shock TikTok block clocked, unblocked as poppycock amid media aftershock:
[Amazon’s] IT department sent a note to some workers on Friday telling them to remove the Chinese video-sharing app from their mobile devices for security reasons, or lose access [to] work emails from those device. [But] after the email leaked, Amazon's spinners responded with the slightly ambiguous statement: "This morning’s email to some of our employees was sent in error." … Amazon declined to elaborate.
…
Meanwhile, the US government believes the app, which has been downloaded more than a billion times worldwide, could be commandeered by the Chinese government to snoop on people.
Whatever next? Rita Liao knows what—US threatens to restrict WeChat following TikTok backlash:
WeChat, the essential tool for Chinese people’s day-to-day life, is also taking heat from Washington. … It’s unclear how the U.S. restriction will play out, if it will at all.
…
White House trade advisor Peter Navarro [said, “TikTok] and WeChat are the biggest forms of censorship on the Chinese mainland. … Expect strong action on that. … All of the data that goes into those mobile apps that kids have so much fun with … goes right to servers in China, right to the Chinese military, the Chinese communist party, and the agencies which want to steal our intellectual property.”
…
WeChat is mainly used by Chinese diaspora and foreign businesses with a footprint or connection in China. … The app’s function is mostly limited to messaging outside of China. … WeChat declined to comment for the story.
THIS is Donie O'Sullivan—DNC and RNC warn campaigns about using TikTok:
The Democratic National Committee warned Democratic campaigns, committees and state parties Friday to take additional security precautions when using TikTok. … "Refrain from using TikTok on personal devices. If you are using TikTok for campaign work, we recommend using a separate phone and account."
…
Republican National Committee national press secretary Mandi Merritt said … "The RNC has advised employees and stakeholders to not download the TikTok app on their personal devices," … citing "security concerns."
Forget dogs and cats—elephants and donkeys living together? James Grant—@JamesGrantFL—tweets up a storm:
Just how wrecklessly dense to you have to be to be installing an agent of the CCP on your phone?
Dense enough that [even] in today’s tribally divisive political environment, both parties think what you’re doing is dumb. And they’re not wrong.
Any other orgs nixing the ’Toks? You want Mariella Moon on a stick—Wells Fargo wants employees to delete TikTok:
The financial institution sent its employees a note, telling them to remove the app from corporate devices immediately … a Wells Fargo spokesperson confirmed. … “Due to concerns about TikTok’s privacy and security controls and practices … we have directed those employees to remove the app from their devices.”
…
The lip-syncing app has been under scrutiny due to concerns raised about Bytedance, its parent company that’s based in Beijing. US authorities are worried about the possibility that Bytedance could be compelled to share data with the Chinese government under the country’s laws. In India, officials even banned the app completely.
Weird. Have they not heard of MDM? PsychoSlashDot has:
Wells Fargo, a massive financial/banking institution should … remotely manage … corporate phones. … They've got the scale/budget and the sensitive data.
I've had small-business customers provide cell phones for field workers / construction foremen who basically just need to use them like walkie-talkies, and MDM isn't really justifiable at that scale. … But banking?!?
And big_D suggests an even more draconian way:
Our company has a very tight policy on what apps are allowed and they have to be approved by the IT department. In fact, the users don't even get the password for the account used to sign up the phones to the Apple/Google store.
But there’s a quid pro quo, thinks N1AK:
If you want the work phone to be 100% work only that's fine if I am free to leave the phone on my desk when I go home at the end of the day or I'm being compensated for having to carry a corporate device with no benefit to me around outside work hours.
Meanwhile, macjules calls it, “Absolutely terrible”:
Using TikTok is un-American: it harvests a ton of data which it then sends back to the evil Chinese empire. Good Americans should use Facebook — which collects a ton of data and then sells it to the evil Chinese empire.
The moral of the story?
Politics aside, what’s running on your users’ work phones or BYO devices? Got MDM?
And finally
Hat tip: Mark FrauenfelderYou have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s heroic pic via Kon Karampelas (via Pixabay)
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
