Im heutigen sicherheitsbewussten Klima verschwenden Länder und Organisationen weltweit wenig Zeit mit Debatten darüber, ob eine riskante mobile Anwendung verboten werden sollte - unabhängig von ihrer Popularität. Da Sicherheit und Datenschutz im Mittelpunkt der Diskussionen im öffentlichen und privaten Sektor stehen, werden diese Fragen in der Regel dann aufgeworfen, wenn bei einer App bedenkliche Praktiken der Datenerfassung und -verarbeitung festgestellt werden.
Seit einigen Jahren ist die beliebte Social-Media-App TikTok immer wieder ein Thema, wenn es um den Datenschutz geht. Als das Thema Anfang 2020 zum ersten Mal aufkam, führte Lookout eine Analyse der App durch und stellte fest, dass sie tatsächlich mit Dutzenden von IPs in China und sogar einer in Russland kommunizierte.
Obwohl es unmöglich ist, genau zu sagen, welche Daten an diese Orte gesendet wurden, ist dies aus Sicht der nationalen Sicherheit der USA höchst bedenklich. Da die chinesische Regierung bekanntermaßen direkten Einfluss auf Organisationen mit Sitz in China hat, darunter auch die Muttergesellschaft von TikTok, ByteDance, liegt die Vermutung nahe, dass amerikanische Daten an die chinesische Regierung weitergegeben werden könnten.
Es sieht so aus, als hätte sich die Situation seit 2020 verbessert. Lookout hat die gleiche Analyse am 13. Dezember 2022 durchgeführt und festgestellt, dass die App nicht mehr mit ausländischen IP-Adressen kommuniziert. Bemerkenswert ist, dass das Volumen und die Art der gesammelten Daten immer noch signifikant sind und für stark regulierte Branchen wie staatliche und lokale Regierungsbehörden ein berechtigtes Problem darstellen könnten.
Aus diesem Grund haben mehrere US-Bundesstaaten ihren Angestellten die Nutzung von TikTok auf staatlichen Mobilgeräten verboten, darunter Behörden in Alabama, Utah, Texas, Maryland, Nebraska, South Carolina und South Dakota.
While this is a start, what agencies and departments need to keep in mind is that this only covers a subset of devices. With hybrid becoming more widespread, and the introduction of bring-your-own-device (BYOD) programs, a majority of employees are likely using unmanaged personal devices.
Warum ist die Datensammlung von TikTok ein Sicherheitsrisiko?
The fact of the matter is that TikTok collects much of the same data as other popular apps — especially those that want to provide a curated experience. The difference here, though, is that TikTok is owned by Chinese company ByteDance, which needs to adhere to Chinese law.
One piece of legislation that is a cause for concern is the Chinese National Intelligence Law introduced in 2017. The law states that “any organization or citizen shall support, assist and cooperate with the state intelligence work in accordance with the law.” In simpler terms, any organization based in China is expected to share data with the Chinese government if it’s considered a national security issue.
With that in mind, think about the plethora of data that TikTok is collecting for the devices it’s installed on, such as device brand and model, operating system (OS) version, mobile carrier, browsing history, apps installed, file names, types, keystroke patterns or rhythms, wireless connections, and geolocation. TikTok's own privacy policy describes collecting and analyzing user personally identifiable information (PII) and data gathered from other sources. This can include age, image, personal contacts, relationship status, preferences, and other data collected through a single sign-on (SSO) feature that allows users to sign into TikTok from other platforms.
Geolocation alone can be a national security concern, as we saw when U.S. soldiers were mistakenly posting their runs at a hidden U.S. base on the popular exercise app Strava. This is why the U.S. Navy and other military organizations have already banned TikTok, and now states are following suit.
In addition, there is concern over whether the Chinese government could influence the content that Americans see. Whether it’s producing content themselves or altering the algorithm, we’ve all seen the influence that social media can have over public discourse including politics. Having a more direct connection to TikTok means that the Chinese government could have a more direct impact on users than the way Russia used Facebook to interfere in past U.S. elections.
Wie man nicht vertrauenswürdige Apps wie TikTok blockiert
If you’ve decided to block your users from being able to access TikTok, or any other untrustworthy app, the challenge then becomes: how do I do that? TikTok is believed to use hundreds of different content delivery networks (CDNs), which could make it difficult to control, so an approach like DNS filtering wouldn’t work here. And like I mentioned earlier, limiting access from managed devices is only half the battle, considering all the unmanaged personal devices people use.
At Lookout, we can take a dual-pronged approach, the first being app identification and access control. By using Lookout Mobile Endpoint Security and a mobile device management (MDM) solution, we can add TikTok to a deny list. This means block access to customer domains, by adding TikTok to a deny list. If the app is detected on a device, an agency could flag it for non-compliance and block access to customer domains, single sign-on (SSO), and enterprise apps and data. The user would need to remove TikTok before regaining access.
The second approach blocks TikTok by flagging a set of root domains. By doing so, Lookout Mobile Endpoint Security can restrict unmanaged BYO devices from accessing TikTok via browser as well as the app itself.
This is a walkthrough of how administrators using Lookout Mobile Endpoint Security would be able to block TikTok from both managed and unmanaged devices.
Risikominimierung durch BYOD ist leichter gesagt als getan
As hybrid work becomes permanent, IT and security teams are losing the visibility and controls that they used to have within corporate perimeters. You’re probably already familiar with shadow IT, where users are increasingly using unsanctioned apps to interact with corporate data. Mobile devices need to be part of the conversation.
With traditional tools, you have no visibility into the activities on a tablet or smartphone. With MDM, you’re able to control some things, such as the presence of apps. But even there, you don’t have any insight into the device’s health. This issue is exacerbated on the BYOD front where you have no enforcement capabilities at all.
TikTok is just another app that each organization needs to decide whether it poses a risk to its corporate data. The lesson to be learned is that securing and enforcing policies on mobile devices requires a solution built from the ground up for modern devices.
To better understand how you can protect your organization, take a look at Lookout Mobile Endpoint Security page. Lookout has a Joint Advisory Board Provisional Authority to Operate (JAB P-ATO) with the Federal Risk and Authorization Management Program (FedRAMP), was the first mobile security solution to achieve StateRAMP Authorization, and has a Level 2 certification from the Texas Risk and Authorization Management Program (TX-RAMP). And by leveraging the world’s largest mobile dataset, our solution can detect and respond to the entire spectrum of mobile threats in real time.