Reports of TikTok shattering iOS & Android security are overblown

By Wesley Hilliard

Reports about TikTok bypassing device security for access to "Full User Data" are both an exaggeration and a misunderstanding about Apple's privacy technologies, but there are still privacy issues associated with the service.

TikTok isn't great for your privacy, but it isn't a threat to your device security either

Two white hat security studies surrounding TikTok and its code have surfaced some concerns surrounding privacy and security with the app. However, reporting based on these studies have taken the available information and warped it into something that sounds much scarier to the average reader.

According to an exclusive report from The Wrap, TikTok can "circumvent" Apple and Google privacy protections and "access full user data." This was based on two studies viewed in part by The Wrap and various commentary from security experts.

TikTok appears to use dynamic code which alters its state so it passes Apple's static code tests. While this seems shady in practice, it is often used by developers to prevent external parties from reverse engineering the app.

The base code of TikTok is shared between Google and Apple apps. Basically, the app uses system libraries from Android and iOS to create the basic app structure, then uses proprietary code from TikTok to present information from the web. This is colloquially known as a web app.

Despite what The Wrap's report tries to convey, web apps are a standard type of app on Android and iOS. Many apps are basically code wrappers for website data, like Facebook, Twitter, and YouTube.

Somehow, the simple nature of a web app became a "web browser that can be rewritten constantly" to "thwart Google Store code analysis." TikTok rightly asserted that its app uses standard system libraries and tools to make its app work on iOS and Android.

There are many attempts by The Wrap to misrepresent standard developer practices as malicious intent. We won't be breaking each one down, but TikTok's use of a custom video player isn't meant to "hide things" despite the report's claims.

One cornerstone of this report relies upon a quote from Frank Lockerman, cyber threat engineer at cybersecurity firm Conquest Cyber. He reviewed the two white hat studies and shared some of his thoughts on the matter.

"These dynamic properties allow TikTok carte blanche access to your device within the scope of what the application can see," Lockerman said when discussing the nature of TikTok's use of web app coding. "The TikTok browser not only has access to convert from web to device, but it also has the ability to query things on the device itself."

This statement may sound terrifying, but what it amounts to is basically that TikTok is capable of showing users data from the internet. The data TikTok has access to on the device is limited in scope based on Apple and Google's privacy protections.

The key to this statement is "what the application can see." So yes, TikTok can track what you do in the app, how long you see videos, and which creators you follow, but that's it. TikTok isn't somehow breaking the sandbox to gain access to your Safari browsing history or iCloud Keychain.

TikTok has access to your contacts, if you give it permission, has access to an advertising identifier if you give it permission, and can detect items in your clipboard. The clipboard data has been limited on iOS thanks to an update that exposed TikTok's attempt to collect this data.

Despite all of the scary text and bold headline, The Wrap shares that "TikTok's data mining may be no worse than that of major social networks like Facebook." TikTok may not be a breach of the iOS sandbox and act as a threat to your device security, but it is a threat to your data privacy like all social networks.