Abandoned apps like TikTok pose a security risk in a BYOD world

It’s hard to say what the ultimate fate of TikTok will be: Acquired, banned in the US, split into two companies, or something else entirely. For IT teams managing mobile devices, the security risk is real right now. The current version of the TikTok app may meet some corporate standards, for teams willing to ignore the risks inherent in the platform.

Those risks will grow over time as new security threats develop, and there is no way to update the app, according to Michael Covington, vice president of product at Wandera.

Although TikTok fixed some security problems earlier this year, the app collects a lot of information and prevents code auditing. This includes anti-debugging and anti-reversing techniques.

“Obviously you don’t want your competitors to download your app and see what you are doing but it does seem they have gone above and beyond to obscure their code,” Covington said.

Wandera also monitors popular app sources for changes in availability and recently looked at how many apps had been both downloaded by users and removed from app stores over six months. Based on data from data from November 2019 to April 2020, 39% of abandoned apps with live installs were in the productivity category, and 30% were in games and entertainment.

SEE: Mobile device computing policy (TechRepublic Premium)

Wandera analyzed the latest iOS and Android versions of TikTok as of early August to measure the risk level of the app. The researchers rated the app as a medium risk and found that the Android version requested 67 permissions and had six embedded URLs which represent network connections. The researchers noted that the average number of permissions requested by Android apps is nine. Some of the riskier permissions include:

• Access fine location
• Access coarse location
• Request install packages
• Receive ADM message

According to Wandera’s analysis, less than 20% of other apps request these permissions, including less than 5% for the last two requests.

Wandera analysts rated the latest iOS version of TikTok as a medium risk with the biggest issue that the app uses sensitive APIs which are normally not allowed by Apple, such as exact location and contact list access. 

“It’s hard to say the use of these permissions indicates TikTok is up to something because it’s what they do with the information that is the question,” Covington said.

Covington said that keeping sensitive business content off TikTok is not a sufficient security tactic. 

“Now you have to worry about your voice and your likeness and how that content could be used against you in other settings,” he said. “People are finally starting to comprehend that personal information has value.” 

Managing the risk on BYOD phones

Wandera provides endpoint security for devices, applications, and data. The company has solutions for managed devices as well as BYOD settings. For managed devices, Wandera’s solution allows IT teams to set policies around applications that users can’t work around. For devices that are not provided by an employer, Wandera’s threat intelligence engine MI:RIAM analyzes a device for malware and unapproved apps when a user launched a protected app such as Slack or Microsoft 365.

To measure the security risk of a particular app, Wandera tracks and analyzes the network connections an app makes.

Convington said Wandera analyzes app activity in a dynamic environment to understand the final destination for these connections.  

“Sometimes you’ll have one endpoint that keeps handing out other destinations to go to,” he said. 

Wandera focuses on ad networks analysis to watch for networks that have a history of hosting phishing attacks and scams.

Covington said that among Wandera clients he has seen a 50/50 split between unmanaged  devices (BYOD) and devices managed by an employer. He predicts that this will change over the next few years with more companies moving to protected but unmanaged devices secured with mobile application management without enrollment.

Also see