and the Initials on the email are "IN".
No doubt this was from someone in India, who have irrationally banned anything Chinese.
Amazon today said an internal email banning its staff from using TikTok on smartphones connected to their corporate inboxes was sent in "error." The admission – or climb down, depending on how skeptical you are – came after the memo was obtained and leaked by journalists. The internet giant's IT department sent a note to some …
It's not irrational. TikTok does grab a ton of data.
"We're proud that tens of millions of Americans turn to TikTok for entertainment"
Why? That's like saying "We're proud that tens of millions of Americans babble about inconsequential trivia on Twitter" or "We're proud that tens of millions of Americans jerk it to PornHub" - who cares? It's not something to be proud of.
Hey folks. Did you realise that communicating with hundreds or thousands of people may not be 100.000% secure? WHATEVER the reason, it ain't going to be private for long. So on that basis, only the loons or stupids (may overlap) would bring out this sort of thing. An organisation can decide which side of the line it wants to be when communicating with employees:-
(a) End to single-end encrypted to trusted employees who know what's coming to them if they blab
or on the otherside.
(b) anything else. (Fred Flob's Fitness Freakout is just as much a risk as China State Snoop-mail.)
It's interesting that many of these organizations who have in the past been fingered for reading the headers (Google) of emails are bitching that some else is doing what they been doing for decades. As for gathering intelligence it's no difference between the major database used to profile their users/victims and exploit them. It always end's the same way, you and up with a database of distorted half truths and garbage.
On banning TikTok I suspect it's more to do with what they don't know rather than an identifiable threat. I'm all for social media, exchange of idea's (Even if some are flaky) with out having to publish a paper on it.
". As for gathering intelligence it's no difference between the major database used to profile their users/victims and exploit them."
There is a difference: TikTok has a backdoor and ability to load files from mothership and execute them on command. Not your command but mothership command.
AFAIK no other 'social media' program has that capability. And then you start to wonder why there is such a capability.
Or at least you should wonder.
"There is a difference: TikTok has a backdoor and ability to load files from mothership and execute them on command."
You've written three very similar posts on this topic now. Please provide a valid reference to this backdoor.
My feeble search results for "tiktok backdoor" produces a Forbes article with the 'backdoor' in its title (and nowhere in the article) and it refers to several vulnerabilities Checkpoint found earlier this year, with poor POST/GET input validation on their servers, XSS vulns and unvalidated SMS messages. The Checkpoint report doesn't state that these are backdoors and to me they just seem like vulnerabilities made by some sloppy coders with no thought for security.
"AFAIK no other 'social media' program has that capability."
I'm pretty sure most applications can contact their mothership and get additional instructions from there. Most of them use POST/GET commands anyway so downloading files and executing them (under the same security context) shouldn't pose a problem.
"You've written three very similar posts on this topic now. Please provide a valid reference to this backdoor."
According to the Reddit link in the article, TikTok has the ability to download a zip file from the mothership, extract it and execute an extract binary file. I didn't read thr9ough the links to confirm with any further evidence that might have been presented though. So either the person you are speaking to has done so, or maybe is just basing it on that statement in the initial Reddit post.
"Talk about mis-direction."
BS. I see you've no idea what the application can do: It has built-in backdoor and not only that, it can download and execute *any* file, remotely commanded.
Basically owning your phone completely and silently. Too bad for your bank account or work network, those will be compromised too.
With Tik Tok your phone is directly owned by CCP. That's kind of major thing to anyone who understands what it means.
It wouldn't need root access to be able to do things you wouldn't like. I checked out its Exodus privacy report which shows information about permissions and trackers found in its Android app. That's quite a lot of permissions. Malware given access to those would be able to do lots of things, including making and inspecting network traffic. As with far too many Android apps, this app also requests permissions that don't seem to make any sense (install new packages, for example). From inside that sandbox, you can still do a lot.
Now, just because this app requests those permissions doesn't necessarily mean that all are granted or that they work. Nor does it mean that there is something malicious using them. I wouldn't be surprised to hear that TikTok does have a mechanism allowing their developers to push arbitrary code and run it. I also wouldn't be surprised to hear that Facebook has a method to push arbitrary code and run it. I already know that Google does have several ways to push arbitrary code and run it. As with any other application, the degree of trust in its developer and usefulness of the features must be taken into account before deciding whether to use it. I wouldn't trust it, but I also have no inclination to use it and there are already hundreds of other companies' apps that I also don't trust.
Exactly. That's why trust in the base app is such an important detail. The only relevance to the "pull down arbitrary code" possibility is that someone else could get the code inserted, either by forcing the company to do so, stealing the mechanism, or discovering a vulnerability. The new code would not be released as a potentially detectable update either, making it easier to hide.
I think the best example of such an issue is the vulnerability discovered in WhatsApp a little under year ago. Said vulnerability wasn't intentional (unless you are paranoid), and it allowed arbitrary code execution by crafting an invalid video file. That code would not be able to exit the sandbox of the app, but WhatsApp's sandbox is really big so it proved to be a useful exploit, weaponized by at least a couple groups. If TikTok had a similar mechanism intentionally or through a vuln, it could prove dangerous even if a user trusted the original app. Obviously, I do not know that such a thing exists, but if it did, it would be bad.
A quick google and I expect our anonymous, paranoid-sounding colleague has been on the reddit forum linked to above. In particular they may have had a read through this research paper: https://penetrum.com/tiktok/Penetrum_TikTok_Security_Analysis_whitepaper.pdf
I've had a read through. Yes, I can see they harvest a huge amount of information, but it seems to be harvested by a SAAS component from appsflyer, an American company. A bit shit, yes, but also seems a bit rich to point out a chinese company for harvesting data if they're using an american service to do so.
As for the rest of the research from that paper, I would grade it "poor". They've established that a call is made to Runtime.getRuntime().exec(), but have failed to establish what for. I suspect this is the grounds for the breathless "can download and run ANYTHING !!?!?!" claim. They've also picked out use of the MD5 hash algo as some sort of evidence that Tiktok are cryptographically incompetent, which annoys me - MD5 is fine for general hashing, just not cryptographic hashing. Without analysis of how it's used it's a baseless claim.
There are a few other areas which are a bit more concerning - a possible SQL injection in particular - but with virtually no analysis beyond what looks like a quick scan through after reverse-compiling, I'm left more concerned about the sorry state of todays reverse engineers than I am about TikTok. The "oooh, China" factor is getting in the way of any useful conclusions.
And these are corporate phones, not the employees' private phones.
Our company has a very tight policy on what apps are allowed and they have to be approved by the IT department - in fact, the users don't even get the password for the account used to sign up the phones to the Apple/Google store.
I suspect that it might be exactly the reverse actually. The Article states 'Devices used to access Corporate e-mail'. I reckon that what Amazon are actually saying is that it's fine on a Work Computer, where we control security but not on you crappy spyware infested BYOD device.
Turn the question around and ask yourself why you're compromising your own security and privacy to watch cat vids and selfies.
And the security threat isn't just to the individual but in aggregate. Look at the way Cambridge Analytica stole data from Facebook (which itself hoovered it up from users) to send targeted ads to a small fraction of people in Leave.EU and Trump's presidential election, enough to swing a vote. Social media has been weaponised and it can undermine democracy.
It's not hard to envisage how Tiktok could also do this, especially if it was under state control. But in general you are better off not putting social media apps on your phone, or at least denying them permission to limit their damage.
What do you think the "update" function on almost every piece of desktop software does? Your beef appears to be with HTTP itself, or possibly the fact that applications can execute code. I've found both of these features of the modern tech landscape almost indispensable over the past few years.
Who are all the fear mongering AC's ...no really?
This is the third article ive read this weekend where some ac tard has been making basless claims about how china are riffiling through all our digital comms... with no thought for the children or our democrecy and freedoms...
do these tards have no faith in our western inteligence agencies and there contractors... our great and mighty tech giants and established social platforms?...... oh wait never mind
What is wrong with banning software on corporate devices? We have very strict policies.
Our company phones get the approved mail software and a couple of other apps installed, then they are locked down. If we want something like TikTok, we have to install it on our private phones.
Still it has the advantage that we are supposed to leave our phones at work in the evening, or turn them off, when out of hours.
(Although I should probably stop using that phrase... oh well.) I've lost count of the number of times I have been discussing something - anything - with family or friends and a short time later I start getting adverts for something related to the subject under discussion - or what Amazon *thinks* is related to the subject. Which, when discussing things like epic space battles, Things Man Was Never Meant To Know with their unholy cults, the possibility of ever going overseas on holiday again and whether Jar-Jar Binks' middle name really is "Fu**ing", can result in some entertaining ads popping up!
Biting the hand that feeds IT © 1998–2020