Lame-duck versions of TikTok and WeChat are definitely a problem, security experts say
Cybersecurity experts and privacy advocates said Friday that TikTok and WeChat users should probably stop using the applications in the coming days, given that the Trump administration’s new ban on them will effectively block users from downloading updates.
Updates, of course, provide security fixes and not just new features. In just the last year, TikTok has had to issue multiple patches for vulnerabilities that could allow hackers to capture users’ data without their permission or send them malicious links, for instance. WeChat has also had to address several flaws in the last year.
“The order … harms the privacy and security of millions of existing TikTok and WeChat users in the United States by blocking software updates, which can fix vulnerabilities and make the apps more secure,” the Director of the American Civil Liberties Union’s National Security Project, Hina Shamsi, said in a statement.
The ban won’t eliminate the apps on current users’ devices — it will just restrict access to the two products in app stores. After Sunday, when some of the restrictions are slated to take effect, TikTok and WeChat will progressively become riskier and riskier, said Dave Kennedy, the chief technology officer and co-founder of Ohio-based Binary Defense.
“As code progresses, security vulnerabilities and security issues come into play. By blocking updates, you’re going to preclude TikTok from addressing security issues and vulnerabilities,” Kennedy, who previously worked at the National Security Agency, told CyberScoop. “TikTok and many other organizations use third party libraries and other pieces of code, and there’s vulnerabilities that happen all the time … as TikTok gets older and older, because you can’t update, the larger percentage chance you have of critical exposures not being addressed.”
Also an issue: VPNs and jailbreaking
There are other ways TikTok and WeChat users can put themselves at risk. The experts are also wary of U.S. residents who might try to circumvent the ban. One method would be to use a virtual private network (VPN) to appear be online in another country that hasn’t banned the apps. Another approach would be to jailbreak a phone to override any operating-system or app restrictions and install TikTok and WeChat outside of usual methods.
Both approaches could expose devices to other security issues, Kennedy said. Not all VPNs are safe or reliable, and jailbreaking phones for software installation degrades their security.
One of the lawmakers who has been monitoring the reaction to the ban, Rep. Jim Langevin, D-R.I., reiterated security experts’ concerns about the danger of unpatched apps. “And trying to do workarounds, I would absolutely not do it,” he told CyberScoop in a phone interview.
Langevin, who serves on both the Armed Services and Homeland Security committees, added that he wants to discuss the security issues with the White House.
The Trump administration’s restrictions are an effort to “combat China’s malicious collection of American citizens’ personal data,” Commerce Secretary Wilbur Ross said in a statement. The ban also will prevent U.S. companies from providing services such as network hosting services to TikTok, which is known for its viral video clips, and WeChat, which is one of the world’s most popular chat platforms.
U.S. government officials have raised concerns that China could use Chinese-owned companies to enhance government espionage efforts against Americans. But the limitations on receiving updates will inevitably amplify TikTok and WeChat users’ risks.
It’s not the first time the Trump administration has provoked a debate on security basics. But the news comes at a tumultuous time for TikTok in the U.S., which is currently staring down the barrel of ownership changes in an effort to allay national security concerns President Donald Trump says he has with the Chinese-owned company.
The global chief security officer for TikTok’s parent company, ByteDance, told CyberScoop in an exclusive interview last month the firm doesn’t share data with Beijing. Nonetheless, TikTok is said to be working on a deal with the Trump administration to transfer TikTok ownership from ByteDance to California-based Oracle, following Trump’s executive orders on the matter.