TikTok makes news headlines over supposed security flaws

TikTok, mostly popular with teenagers, has recently been under scrutiny for security and privacy concerns. This short-form video social media app has been downloaded 165 million times in the US and is owned by an offshore company. Security concerns about this app are serious enough for Wells Fargo and other organizations to ban the social media app from its company’s devices, including personal devices used to access corporate email.  An example of the security issues is mentioned here: “In January, a team of security researchers announced they had found several security vulnerabilities in TikTok. The flaws, if left unpatched, could have let attackers gain control of TikTok accounts, change the privacy settings on TikTok videos, upload videos without permission, and obtain user data such as email addresses” (CNN, July 9).

Why do apps on your mobile device potentially expose personal or FIT data?  This opens up a much bigger question of what user data gets shared with third party apps when you sign up for a service like TikTock or any other service.

Thoughts on third party access: 

When you install an app from Google’s Play Store or the Apple Store, for instance, you are asked to grant permissions to the app on your device.  Apps need access to specified content on your phone to fulfil their functionality, for example a picture-editing app will require access to your phone camera to edit pictures, this is a totally reasonable request. However, apps may also get permission to use data in the account you use to log into the app, even when the data has nothing to do with how the app functions and even when the data does not exist on your device. For example, when Pokemon-go was first released, it required full access to read and edit your Google Drive or Facebook account, depending on which you used as your Pokeon identity.   This should be a red flag to you.

What can you do?

Pay attention to the authentication method used when signing up for a service. Many apps will offer at least two types of authentication methods.

• Primary authentication. This where you supply a username (often same as your email address) and password to get into the app or service.

• OAuth authentication. This is where you use an existing account’s login credentials (Google, Facebook, Instagram) to access the service using an existing API between the two technologies. It may also grant permissions for the app to access your data. You may be inadvertently granting it access to FIT data, let’s say, if you use your FIT Google account credentials.

What else can you do?

Take a Google Security Check-Up where you can see to which apps you have granted access and the level of permissions and easily adjust the settings right from there. Google recently added an option for running a “Privacy Check-Up” where you can see what others see about you and choose what information you make public or keep private.

We will be offering Google Security and Permission training during the month of August (dates below) where we will review this topic in more detail. You can also check out the prerecorded video linked below.

Stay Cybersafe!