TikTok can bypass Apple and Google security protections to access user data: report

Technical studies done by cybersecurity experts in late 2020 and early 2021 analyzed the innards of what makes video-sharing app TikTok operate.

Amid growing privacy concerns, researchers found an application that can modify behaviors on-the-fly without a user being made aware of it. This is on top of device identification that's made easy for advertisers to harvest people’s data.

This exclusive published Monday from TheWrap has the new outlet going deep into TikTok's programming. Throughout their investigative piece, they asked for the opinions of privacy experts about what it all means.

Russ Jowell of BestApp.com told them: "It seems to me that ByteDance has gone to monumental lengths — possibly more than Facebook, Twitter and other social networks — to conceal the inner workings of their app."

Although the previous Trump administration attempted to ban TikTok over China-related security concerns, the current Biden administration has since looked elsewhere in the realm of regulatory remedies on the matter.

As for the popular platform's size, TikTok touted in September 2021 that it exceeded 1 billion active users. Advertisers took special advantage of its reach most recently with their Super Bowl Sunday campaigns.

The examination of TikTok's source code in November 2020 and January 2021 revealed the usage of device IDs as a prominent highlight. The sophistication by advertisers when it comes to the piece of information means that users can be tracked between different app installs and devices.

A company spokesperson told TheWrap that every Big Tech company does this.

"The TikTok app is not unique in the amount of information it collects, compared to other mobile apps. In line with industry standards, we collect information that users choose to provide to us in order to improve the experience people have on our app. Also like our peers, we constantly update our app to keep up with evolving security challenges," the TikTok representative said.

TikTok's setup as basically a web browser that gets further Javascript cues pulled from TikTok's own servers means the app can update in a way where users might not be aware of it. While company spokespeople repeatedly assure the public that everything is above board when it comes to privacy and security compliance, the way the app itself is setup makes it much more difficult for either Google or Apple to audit that on their own accord.

Issues like platform policies are what led gaming giant Epic Games to duke it out in the courtroom against Apple about how "Fortnite" was allowed to be monetized on the App Store.

Engineer Frank Lockerman of cybersecurity risk management firm Conquest Cyber told TheWrap that one of the suspected ways that TikTok does workarounds is by having its own video player set-up. The advantage beyond solid operational code is having an algorithmic "prefetch" feed that gets additional videos for a user ready to go, beyond the one they're currently watching.

All in all it establishes an easy way for TikTok to learn a user's preferences given the short clip length for a piece of visual content on TikTok.

Jeff Engle, the president of Conquest Cyber, told TheWrap the most pressing concern is what TikTok does with the user data it collects.

"As with any social media, if you are not paying, then you are likely the product. The data you give, which almost always is more than users realize, can be hijacked, but that is an individual risk analysis on a user-by-user basis. The collection, control of distribution and manipulation of any social media makes it a powerful weapon," he told the outlet.

In related news, Meta announced that they've settled a class action lawsuit over Facebook's privacy practices. The company will have to pay upwards of $90 million to settle the matter of how the platform tracked user activities online, even after they logged off site.