The real TikTok challenge: Trojan horse freemium apps
CIOREVIEW >> Cyber Security >>

The real TikTok challenge: Trojan horse freemium apps

Harvey Boulter, Chairman, Communication Security Group Inc.
Harvey Boulter, Chairman, Communication Security Group Inc.

Harvey Boulter, Chairman, Communication Security Group Inc.

It is the modern equivalent of a cheap conjurer’s trick; apps that wave something shiny and free in the faces of their users, while silently picking their pockets for anything of worth. Time and time again we see platforms advertised for a specific, innocuous purpose, when in fact at their core they hide a far more predatory function. Why does this continue to be allowed; where is our protection?

For comparison, in the US, the manufacturing of cars is covered by various safety and environmental bodies and certifications, including Federal Motor Vehicle Safety Standards and the Environmental Protection Agency. Consumers of children’s toys are similarly protected by a mandatory set of safety rules and regulations under ASTM F963 – Standard Consumer Safety Specification for Toy Safety. These arrangements may not be perfect, and will necessarily carry a certain amount of tension, but the guiding principle is there: if you want to do business in the United States, you will need to factor in protection of both the end customer and society at large.

The same cannot be said for the digital landscape, where there is little in the way of a legal framework governing how transparent app developers are compelled to be regarding the collection and use of data. So, what happens when the foxes are put in charge of the henhouse?

TikTok: dance your data away

TikTok has been squarely in President Trump’s crosshairs over this issue, and rightly so. Owned by Chinese parent company ByteDance and launched three years ago, TikTok has 2 billion downloads, and in early 2020 was the most downloaded app on both Apple and Google app stores, with usage by children in the United States on a par with YouTube. What has caused such concern though is their data gathering ability, and lack of oversite.

Earlier this year a Reddit user known as Bangorlol made claims to have reverse engineered TikTok, making a series of stunning revelations; “TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it… Calling it an advertising platform is an understatement. TikTok is essentially malware that is targeting children.” These sentiments have been echoed by Steve Huffman, Reddit CEO and Co-founder, describing it as a “fundamentally parasitic app that is always listening”. US Secretary of State, Mike Pompeo has warned to only download the app if you “want your private information in the hands of the Chinese Communist Party.” The US and Australian military have been banned from using TikTok, while both the DNC and the RNC have warned party members and staffers against using the app, citing security concerns.

Following the intervention from President Trump, TikTok has had to accept a certain amount of US involvement if it is to avoid being made unavailable on all US app stores as of September 27. The deal now on the table would see the formation of a new US company, TikTok Global, with Oracle acquiring 12.5% while Walmart bags 7.5%. Heading to an election rally in North Carolina Trump stated "I have given the deal my blessing… I approve the deal in concept." Mike Pompeo has claimed that TikTok Global will be “controlled by Americans” and that ByteDance would just be a “passive shareholder,” while Trump told reporters "the security will be 100%."

Although this arrangement is undoubtedly an improvement financially for the US Treasury in terms of job creation and tax, the security aspects remain a source of major concern. The new company would still be 80% owned by ByteDance, and while Oracle will be allowed to inspect the app’s source code, ByteDance has said it will not transfer algorithms or technology to the US firm. That would seem to fall far short of the administration’s desire for total US control of the app, and relies on an optimistic expectation of this Chinese leopard changing its spots.

Public enemy No.1 or scapegoat?

The guns are clearly out for TikTok, but is it any worse than a host of other freemium apps? The main sticking point of course is the visible links with China – but is the industry looking for a convenient scapegoat? It should not be news to anyone by now that WhatsApp is essentially a data gathering tool. Putting aside the various security and encryption issues, the freemium app’s policies allow them to collect a veritable shopping list of information, including not just your phone number, profile name and photo, online status and e-mail, but also device data, operating system information, browser information, IP address, location data and information from third party services.

Added to this, WhatsApp is preparing to merge with Facebook messenger, which surely obliterates all pretence that it’s about anything other than increased gathering and exploitation of your data. Is it necessary for WhatsApp to collect all this data in their own right… and do we really expect them to protect that data from the likes of China?

Giving up freedoms for “free”

In terms of their data, the general public has voted with their thumbs, and it seems they accept that beneath the hood WhatsApp is at best a data-gathering tool that combines with Facebook to create a truly monumental and intrusive marketing machine. They seem to have also accepted that an entertainment app like TikTok, unarguably rooted in China, should be able to know who, what and where nearly a quarter of the world’s population is at any given moment.

The public will continue to accept being misled and will go on using freemium Trojan horse apps that claim to offer them a multitude of entertainment and freedoms, but are in fact designed to monitor, influence and manipulate them. They allow themselves to be convinced that they are the consumers, whereas in reality of course these apps are consuming them. According to that TikTok expert Bangorlol; “The general consensus among most ‘normal’ people is that they can’t/won’t be targeted, so it’s fine. Or that they have nothing to hide, so ‘why should I even care?’”


Returning to the car manufacturer example from earlier, let’s be honest with ourselves. There will always be at least a percentage of the consumer market that would abandon the safety regulations that protect them in favor of lower prices. As a society however, we have rightly decided that public safety trumps the bottom line in this case. The same must surely be introduced to the spiralling app markets.

We expect a department store such as Macy’s to take responsibility for ensuring the products they sell are not faulty, counterfeit or otherwise hazardous. Why should it not be the same for the Apple and Google app stores? One example of a self-regulation solution would be for these marketplaces to carry a rating system appraising each app’s privacy, safety and security. How much data do they gather, is it a necessary function or data mining? Simple marks out of 10 could advise the user the level of protection or exploitation they can expect from the app. Consumer freedoms would be preserved, as they are free to continue to engage with invasive technologies, but from a more educated standpoint. At a base level, how much easier would it be to tell our children they can’t use apps with safety ratings of less than 6 out of 10 for example?


To really take control of the digital landscape and offer protection of the individual and country’s interests, governmental regulation by an authority with both funding and teeth will be required. The European Union has just announced new rules for the Apple App and Google Play stores, article 9 of which adds to GDPR in forcing platforms to be more transparent about the types of personal and non-personal data they collect, and who can access that data.

Creating legislation is difficult, time consuming and expensive - but necessary. The threat to individual freedoms and right to privacy carries a significant cost – as does the cost to society of IP theft, electoral interference and handing a political and economic advantage to foreign interests. The United States is famously the home of the free. We must decide what that crucial word “free” applies to. Freedom as personal liberty and a right to privacy, or freedom for international tech companies to spy on, manipulate and exploit their users under the guise of providing apps that are free at the point of use?

Read Also

Keeping It Real With Your Security Vendors

Robert Pace,VP/CISO, Invitation Homes

Cyber Grc: Core Enabler Of Strategic Cybersecurity

Jamie Sanderson, Director of Cyber Governance, Risk, and Compliance,AES

Your Maiden Grc Implementation Voyage

Eric Bonnell, Senior Vice President, Second Line of Defense Risk Manager, Focus on Privacy and Business Resilience, Atlantic Union Bank

One Source of Truth for Our Frontend

Matthew Hensrud, Senior Director, Platform Engineering and Vadim Komisarchik, Senior Director, Interface Engineering, Freshly

Ubiquitous Retail Banking

Kevin Stehl, Vice President of Marketing, Product and Digital, SECU Credit Union

Effective Defense for New Attack Vectors

Lonnie Carter, SVP, Information Security Manager, Ameris Bank