A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

TIKTOK

January 25, 2024: iPhone apps abuse iOS push notifications to collect user data by Bill Toulas for Bleeping Computer. Security firm Mysk found some apps that use a trick to run in the background. The apps further abuse things by spying on us while running in the background. The apps they called out were TikTok, Facebook, X (Twitter), LinkedIn, and Bing. The defense is to disable notifications for these apps. To do so: Settings -> Notifications -> select an app -> disable "Allow Notifications".

FYI: October 14, 2023. Our continued actions to protect the TikTok community during the Israel-Hamas war from TikTok.

March 2, 2023: TikTok spies on people much like Facebook does. We Found 28,000 Apps Sending TikTok Data. Banning the App Won't Help. by Thomas Germain for Gizmodo
--"Joe Biden gave federal agencies 30 days to remove TikTok from government devices earlier this week. Until now, most politicians intent on punishing TikTok have focused solely on banning the app itself, but ... federal agencies must also 'prohibit internet traffic from reaching the company.' That’s a lot more complicated than it sounds."
-- The article is wrong about this, for a competent techie this is not difficult at all. DNS makes it fairly easy, more on this below.
--"Gizmodo has learned that tens of thousands of apps ... use code that sends data to TikTok. Some 28,251 apps use TikTok’s software development kits, (SDKs), tools which integrates apps with TikTok’s systems - and send TikTok user data" Many websites also send data to TikTok.

USE THE WEBSITE, NOT THE MOBILE APP
The safest first step is to use the tiktok.com website without having an account.

  1. TikTok Browser Can Track Users' Keystrokes, According to New Research by Paul Mozur, Ryan Mac and Chang Che for the New York Times (August 2022). Quoting: "The web browser used within the TikTok app can track every keystroke made by its users, according to new research ..."
  2. More on this from Felix Krause: iOS Privacy: Announcing InAppBrowser.com - see what JavaScript commands get injected through an in-app browser (August 2022).
  3. FBI director says he's 'extremely concerned' about China's ability to weaponize TikTok by Suzanne Smalley for Cyberscoop (November 2022). Quoting: "Chinese companies are forced to 'basically do whatever the Chinese government wants to do in terms of sharing information or serving as a tool of the Chinese government ... APIs in TikTok could be harnessed by China to control software on millions of devices, meaning the Chinese government could conceivably technically compromise Americans' personal devices ... China could 'control data collection of millions of users or control the recommendation algorithm, which can be used for influence operations.' "
  4. If you do use the website, do it in private browsing mode. Better still, use a Chromebook in Guest Mode.

CREATE AN ACCOUNT WITH MAXIMUM PRIVACY

  1. Instead of your regular/main email account, use one that is auto-forwarded and not used anywhere else. For more on this see, the page on multiple email addresses.
  2. Do not give TikTok your phone number, it is not needed to create an account.
  3. Do not put your real name in your profile
  4. Give you account a nickname that is not used anywhere else

SETTINGS FOR MAXIMUM PRIVACY

  1. Make your account Private so that you can approve who follows you: Settings and Privacy -> Privacy -> turn on Private Account
  2. Make it hard for people to find you: Settings and Privacy -> Privacy -> Suggest Your Account to Others -> Turn off the four toggles
  3. Hide the people that you follow: Settings and Privacy -> Privacy -> Safety section -> Following List -> Only Me
  4. Hide the videos you like: Settings and Privacy -> Privacy -> Safety section -> Liked Videos -> Only Me
  5. Ad Personalization: Settings and Privacy -> Privacy -> Ads Personalization -> Use of Off-TikTok Activity for Ad Targeting -> turn off
  6. Do not share your contacts/friends: Settings and Privacy -> Privacy -> Sync Contacts and Facebook Friends. In addition, both Android and iOS should let you block the app from being able to access your contacts.

PROTECTING KIDS

  1. October 2023: There is a Restricted Mode that blocks content with realistic violence, firearms and other such imagery. With the Israel Gaza war this became more important. When Restricted Mode is on, TikTok only shows content that it deems suitable for all audiences. That means videos with mild profanity are blocked and it may block too much. There is no perfect happy medium. You turn on Restricted Mode in the mobile app with:
    tap your profile -> tap the horizontal lines in the upper right corner -> Tap Settings and privacy -> Content preferences -> Restricted Mode
    You then set a passcode, so a child can not just turn Restricted Mode off.
  2. From TikTok: Restricted Mode. Topics: What is Restricted Mode on TikTok? How to manage Restricted Mode How does Restricted Mode work? What types of content aren't available under Restricted Mode?
  3. From TikTok: Age-restricted content on TikTok LIVE
  4. If parents and kids have their own TikTok accounts, then parents can use the Family Pairing feature to restrict age-inappropriate content on their kids' accounts. They can also limit a childs' ability to search for content as well as enable the "Restricted Mode" discussed above. Parents can also filter out videos with words or hashtags they don’t want their kids to see.
    From TikTok: What is Family Pairing?

BLOCKING TIKTOK DOMAINS

  1. If you can control DNS, then block not only tiktok.com and www.tiktok.com, but also block ads.tiktok.com and analytics.tiktok.com.
  2. If you can control DNS generically, then block these domains, as per Steve Gibson in his Security Now podcast from March 7, 2023
    *.tiktok.com
    *.tiktok.org
    *.tiktokv.com
    *.tiktokcdn.com
    *.musical.ly
    *.p16-tiktokcdn-com.akamaized.net
    *.TikTokcdn-com.akamaized.net

CORPORATE PERSONALITY

May 5, 2023: TikTok Tracked Users Who Watched Gay Content, Prompting Employee Complaints by Georgia Wells and Byron Tau for the Wall Street Journal. Quoting: "TikTok workers in the U.S., U.K. and Australia in 2020 and 2021 raised concerns about this practice to higher-level executives, saying they feared employees might share the data with outside parties, or that it could be used to blackmail users... " The company claims to have ended this dashboard in 2022.
Another article on the subject: TikTok had a 'list' of users who viewed LGBTQ posts - raising alarm as the company faces scrutiny over ties to China by Sindhu Sundar for Business Insider.

December 22, 2022. TikTok Spied On Forbes Journalists by Emily Baker-White for Forbes. The author covers TikTok. She was leaked information about the company from someone who works there. TikTok did not like what she wrote, so they set out to find her source. They spied on her location, and then, after another leak, they lied about doing this. One way they tracked the reporter's location was by her public IP address, so use a VPN when using TikTok. And, as the section below says, use their website rather than their app to limit the amount of spying they can do. Make sure that either the browser or the Operating System has no access to your location. That means, using a VPN from an Ethernet-connected device. If the device supports WiFi or GPS, turn them both off.

LINKS

 

 This page: 5 views per day (over 556 days)   Total views: 2,882   Created: November 21, 2022
This Page
Last Updated

January 25, 2024
Site Page
Views TOTAL

 910,939
Site Page
Views TODAY

  832
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2024