[kindle-dev]

The TikTok app may have camera access and location access. It could capture images and send them to China when it detects its on a military base without the user even knowing. It’s so annoying to see “what about X” comments on every story with almost no thought put into the response.

[kbenson]

While Tiktok is technically slightly worse, focusing on that rather than the gaping real problem of publicly posting top secret info is missing the forest for the trees.

Solve the problem of people posting this to social media and it won't matter if the company is US owned and operated or foreign owned and operated because neither will have anything to work with.

[kindle-dev]

I think you're missing the forest for the trees. Publicly posting confidential information is definitely bad. Bringing a device that can covertly collect information for adversaries is even worse.

[kbenson]

> I think you're missing the forest for the trees. Publicly posting confidential information is definitely bad. Bringing a device that can covertly collect enemies for adversaries is even worse.

If you aren't posting top secret data, you also aren't sharing it with enemies on accident.

[falcolas]

There’s no requirement for you to actively post data to break opsec - often it happens behind the scenes. See the fitbit/airbase incident.

https://www.popularmechanics.com/technology/apps/a15912407/s...

[kbenson]

Sure. I was a little less clear in this thread than I was in the other. I'm more making a case for a more sane policy on what apps people can run, or even devices they can have, to make it so this is not a problem that's normally possible. Whether the info is shared with China or the U.K. isn't really a distinction worth making if it never should have been shared with either, period (and let's not act like the U.K. wouldn't want to know just as much, we do with out own allies as shown through some of our exposed wiretapping programs).

[themacguffinman]

Who is disputing that you shouldn't share secret information on social networks? TikTok's ties still changes the potential impact of this breach. That's relevant information that gives context to the basic facts of the case that we usually call "the news".

[beaner]

I don't think you're understanding what the person you're replying to is saying.

If the app is made by an adversary, you don't need to post it publicly for there to be a problem. The app has the ability to send it directly without you even knowing.

[kbenson]

By "Solve the problem of people posting this to social media" I mean the more general "you shouldn't be accessing apps that are security problems while in a secure area, which I covered in a separate thread on this article.

In that respect, whether it's TikTok or any other social media makes little difference. If it's use of apps like that is prohibited, then it's either not a problem or it's a personnel following policy problem.

That said, if people really think TikTok is a problem they should be worried about some other app that's ties are far less known that might get far less public scrutiny and do far more. By the time we're nitpicking which specific social media platform is the worst to have posted to in this case, we're so far down the path of problematic behavior that we're in absurdist territory. The fact that someone's walking around with the equivalent of a video camera taking movies of what appears to be top secret material is the problem, and whether they put it up on TikTok or YouTube, or sell to the Washington Post or to RT is just bikeshedding mostly irrelevant details.

The solution to this all is probably along the lines of "don't allow smartphones in secure areas" or only allow smartphones that have been vetted by security.

[beaner]

Ok sure, I don't think people are disagreeing with that, it's just not what anyone else was talking about so you seemed to be missing the point.

[elmomle]

How certain are you that TikTok only gathers data of any kind when you, the user, ask it to?

[chrischen]

Pretty sure iOS security policy mitigates this unless they are Zero-daying something.

[kindle-dev]

Responding to your other comment: the app has access to your camera. Nothing is stopping it from using your camera, without your knowledge, and then uploading what it captures while a user browses their TikTok feed.

[kbenson]

Then don't allow people to keep smartphones while in secure areas?

My point is, the problem is posting to social media, or using a device that's insecure. There's plenty of apps that a user could be tricked into installed that are much worse than TikTok and that will have much less public scrutiny.

That TikTok is affiliated with the China in some way is a red herring. There's no reason to solve the problem of TikTok if you solve the general problem of people using unapproved applications (which all social media would obviously be unapproved in secure areas) or insecure devices.

Otherwise what you'll find is that Facebook as some Cambridge Analytica type situation going on, and some Chinese shell company ends up using it to get special access and details, and the same thing as this happens through Facebook and China has special additional info and "TikTok fix" helped solve exactly nothing.

Bringing up that TikTok is associated with China in the article is useful in showing people some of the ramifications of the problem. Focusing on that as the problem leads people to think banning TikTok is the answer, when it clearly is not, since it doesn't go nearly far enough in combating the problem.

[BelenusMordred]

> Nothing is stopping it from using your camera, without your knowledge

The app needs to be open and in the foreground for it to take photos. On Android at least.

[blunte]

On a base with top secret information, I'm amazed there would be private phones in operation there. The government may be pretty stupid about some things, but they absolutely know the 1000+ threat vectors within modern mobile phones.

[adolph]

Been an issue for a while

https://www.theguardian.com/world/2018/jan/28/fitness-tracki...

[est31]

The permissions of the app are one thing, whether the app does it is another. In theory what you say would be possible, yes, but does the TikTok app have a feature which allows remote enabling of the camera, i.e. without user interaction? The code is public and can be decompiled. TikTok is not in charge of application distribution either, Google is, so if they add such a feature, people might notice.

[kindle-dev]

Modern apps are obfuscated and use certificate pinning to avoid network traffic introspection. It's really not simple to decompile an app into something understandable.

[BelenusMordred]

https://github.com/shroudedcode/apk-mitm

Removes certificate pinning from apk files for mitm inspection.

[imwillofficial]

You nailed it

[wonnage]

It's as annoying to see all these unfounded comments like yours making China some sort of omniscient bogeyman.

[kindle-dev]

I'm not making China out to be an omniscient bogeyman. The U.S. has used companies to gain access to secure systems in other countries. It's just a reality that ANY country can do this. To deny that is to either be a shill, or woefully ignorant.

[eric__cartman]

This is a problem with propietary software in general. You can't be sure about what it does at all times. It's not a China specific issue.

[chitowneats]

Did you watch the video? Someone is clearly recording this object intentionally. The camera pans and zooms to follow the truck. Whether this is secretly being sent to China via TikTok is somewhat irrelevant if an individual is breaking protocol by intentionally taking video on their smartphone.

[kindle-dev]

I was responding to the comment asking why TikTok should be banned vs. other social media.

[beezle]

I suppose then that it is OK for foreign governments to ban FB, Insta, etc? After all, we all know what lengths the US via NSA will go to.

[kindle-dev]

Yes, of course it's ok. The role of a government is to do what is in the best interest of its citizens. If there is a possible threat from a foreign adversary, the government should deal with it.

[fragmede]

There's a difference between the government banning an app from a country entirely, and banning anyone in their military from using an app or even a smart phone or anything with a camera, especially inside a military base!

[wonnage]

It is and it's stupid that Americans insist on their companies running with unfettered access to every country like it's some unalienable right

[sodality2]

I think so, yeah. After all, I want it banned here too :p

[chitowneats]

Yes. I was agreeing with the parent comment that the social media platform is irrelevant. Presumably, video taken of secret military hardware is not ok in any circumstance. It's the smartphone, the attached camera, and the individual that is at fault.

[emkoemko]

in China they don't just ban apps they ban military from even driving a Tesla.