Is TikTok, the Chinese-owned social network that is used mostly by teenagers to post dance videos, a national security threat?
It depends on whom you ask.
President Trump has said it is and has threatened to ban the app in the United States. But security experts are more hesitant to draw conclusions. While there is no direct evidence that TikTok has done anything malicious with people’s data, sharing information could be fundamentally less safe with a company that might allow the Chinese authorities to intercept it.
So I asked two companies that offer mobile security products to take a close look at TikTok’s app to see what they could glean about it. They had very different takes.
Disconnect, a San Francisco security firm, analyzed the code of the TikTok app for iOS. In July, the app’s code contained references to servers in China. Last weekend, Disconnect reviewed the app’s latest version and saw that the lines of code referring to Chinese servers had been removed.
Patrick Jackson, the chief technology officer of Disconnect, said that while he did not witness any data transmission by the app to Chinese server computers, he found the existence and subsequent removal of the code suspicious.
But Sinan Eren, the chief executive of Fyde, a security firm in Palo Alto, Calif., said the references to servers in China did not alarm him. Plenty of apps have legitimate reasons for relying on some Chinese servers — for example, if they have users in Asian countries and want to stream video to them quickly in a cost-effective manner.
“It’s not realistic for anybody to say that they’re not going to use any Chinese servers, ever,” Mr. Eren said.
TikTok said that the code discovered by Disconnect was obsolete and that it had updated its app as part of a continuing effort to eliminate unused features. “We have not shared data with the Chinese government, nor would we if asked,” the company said in a statement.
On Tuesday, after The New York Times called about the code, TikTok also published a blog post titled “Providing peace of mind” and said it was working on “efforts around cleaning up inactive code in the app to reduce potential confusion or misconceptions.”
Whether or not TikTok’s code was doing something nefarious, there is a broader lesson here. As increasingly digital creatures, we often don’t think twice about giving the apps that we love permanent access to information about ourselves. So the debate about TikTok is a reminder that we must be on guard about the data we share with any apps — whether it’s from an American or a Chinese company — and get in the habit of denying their requests to our personal data.
“We should be minimizing the amount of data we share,” Mr. Jackson said. “It doesn’t matter who collects it in the first place.”
Here’s what you can do to set up your app defenses.
Minimize data sharing.
When you open a newly installed app on your phone, notifications may pop up asking for permission for access to sensors and data such as your camera, photo album, location and address book.
When that happens, ask yourself these questions:
- Does this app need access to my data or sensor for it to work properly?
- Does the app need access to this sensor or data all the time or just temporarily?
- Do I trust this company with my data?
Sometimes it makes sense to grant access. An app like Google Maps, for example, needs to know your location so it can figure out where you are and give directions.
In other instances, the need is less clear.
GasBuddy, an app that helps you find nearby gas stations with the lowest prices, asks for permission to know your location. You could allow it to pull your device’s precise location from its GPS sensor. But it would be safer just to enter your ZIP code so it has less precise information about your whereabouts. (A 2018 Times investigation found that GasBuddy was one of dozens of apps that shared users’ location data with third parties.)
Then there is the question of whether an app needs permanent access to our data and sensors — meaning it always has permission to get information like our location and photos even when we are not using features related to that data.
Usually, the answer is no. As a brand-new TikTok user, for example, I had granted it permanent access to my phone’s camera and microphone. But I have mostly used the app to scroll through people’s cooking videos and have posted only two videos. And the app doesn’t really need to know that much about me. So I eventually went into the settings to disable access to those sensors.
Even if giving access makes life easier, it may be worth putting up with some hassle if you don’t trust the company. Mr. Eren, who said he no longer trusted Facebook after a series of data scandals, uses the Facebook-owned messaging service WhatsApp. But to avoid sharing his address book with Facebook, he said, he manually added his contacts to WhatsApp.
That all sounds like a lot of work. But there’s good news: Apple and Google are making it easier to reduce the amount of data we share with apps.
In Apple’s next version of its mobile operating system, iOS 14, which is due for release this fall, apps requesting your location will present you with the option to share just an approximate location. That could be useful if you’re searching Yelp, for example, for restaurants in the neighborhood but don’t wish to tell Yelp exactly where you are.
Google said that in Android 11, its mobile operating system due for release this year, apps requesting location would present people with the choice to grant access just once, which would prevent constant location sharing with an app. (Apple has offered that option for about a year.)
Google also said that if any apps were not used for a long period after being granted access to sensors and data, Android 11 would automatically reset them to require permission again.
Block app tracking.
Many apps are constantly pulling information from our devices, such as the model of our phone and what version of mobile operating system it is using, and are sharing that data with third parties. Marketers who gain access to that information can then stitch together a profile about you and target you with ads across different apps — a practice known as app tracking.
So what to do? To limit this invisible data harvesting, I recommend using so-called tracker blockers.
Mr. Eren’s app, Fyde, which is free for iOS and Android devices, automatically blocks such trackers, for example. Disconnect also offers tracker blocking apps, Privacy Pro and Disconnect Premium, for iPhone and Android devices.
I prefer Fyde. In my tests constantly running the tracker blockers, it consumed less battery than Disconnect’s apps did.
Apple said that in iOS 14, apps would be required to ask people for permission to perform tracking.
Be curious.
This last step is less technical: Stay informed. If you wonder how a company manages to offer its app, do some research on the business. Read its website and send the company questions to gain a basic understanding of what’s happening with your data and what steps you should take to minimize sharing.
If it’s a free app that relies on ads for revenue, you can usually assume that your data is part of the transaction.
“It’s not about what they collect today — it’s the drip over time,” Mr. Jackson said. “Before you know it, these apps have this huge profile about you that they’ve sold to so many people. Once the horse is out of the barn, it’s going to be hard to rein it back in.”
Last month’s antitrust hearing before a House panel made it clear that Google, Apple, Facebook and Amazon touch every aspect of our digital lives, including our messaging apps, virtual assistants and hardware. That may make you curious what data each of those companies has collected about you. Here’s how to find out. These instructions should be followed from a laptop or desktop computer, not a mobile app:
- On Facebook.com, click the arrow pointing downward in the top-right corner.
- Click Settings & Privacy > Settings. In the left column, click Your Facebook Information.
- Here, follow the steps to request a copy of your Facebook data.
- Visit Google Takeout at takeout.google.com.
- Here, select the categories for the data you would like to download.
APPLE
- Visit privacy.apple.com and log in with your Apple ID credentials.
- Click Request a Copy of Your Data to gain access to the data portal.
AMAZON
- Visit the Request My Data portal. You’ll need to log in to your Amazon account.
- From the drop-down menu, click Request All Your Data, and submit the request.
In 2018, I downloaded copies of my information from each of the Big Four, and I was most disturbed by the incredible amount of data that Facebook was hoarding about me, including information on my friends and exes. The Facebook data also revealed that hundreds of advertisers, many that I had never heard of, had my contact information. You can guess what I did next: I deleted my Facebook account. I haven’t regretted it.