Tiktok ban on business smartphones: „Not cool, but very reasonable“

14. March, 2023

Due to privacy and security concerns, Tiktok has come under pressure in the US and Europe. The EU Commission and the EU Parliament have already banned the app on all devices used for official purposes. Other government-affiliated organisations and ministries in various countries are reviewing a possible ban – also in Austria. [1]

Profiling: Tiktok knows more than we reveal

Tiktok collects IP addresses, location data, browsing history, network connections and device information from app users and has access to the clipboard, camera and microphone of the device. Additionally, it has access to your account information such as username, name and date of birth, your own content, and all interactions with other users and, if you log in via another social media account such as Facebook, information from these accounts as well.

“The app never forgets“, warns IKARUS-CEO Joe Pichlmayr against underestimating data protection concerns: “Everything I have ever looked at, searched for or done is stored. This means that the app operator knows an immense number of details about me after just a few weeks. In addition, successful apps like Tiktok are excellent at adding information about me. Tiktok knows quite quickly who I am, how old I am, what interests me – and can very easily match my profile data with the data of similar users who match my age, interests, behaviour, etc. This means that Tiktok can also draw conclusions about topics that I myself have never consumed on the app – similar to a jigsaw puzzle where you can see the motif even before the finished picture.“

(Cyber-) Risks from data collections

All these concerns are not limited to Tiktok alone, but apply to many other apps as well. And they apply not only to official devices, but also to private devices – perhaps even more so, as they are often less protected than official ones.

The risks from apps like Tiktok are targeted social engineering or cyber-attacks, identity theft, exploitation of location profiles or current location, and selling the data profiles created to third parties. Conversations, image and video files or even passwords from a 2-factor app or password manager could be stolen. If users allow access to their contacts, for example to find friends on the platform, they can quickly become the target of cybercriminals as a stepping-stone to the actual primary target.

“If the employee’s task is not to use Tiktok or similar apps professionally, such apps have no place on the work mobile phone. This is uncool and limiting, but I can expect these restrictions on business devices“, says Joe Pichlmayr: “Privately, I strongly recommend critically examining the question of what consequences the use can have for me, my environment or even my children.“

Tiktok & Co.: Protection of one’s own identity and environment

The first steps to reduce one’s own security risk through data-collecting apps are therefore to raise awareness about the actual risks and to critically question the installed apps and their permissions. Responsible and targeted use can already lead to a significant reduction in danger.

Users can actively restrict app permissions to prevent apps from accessing certain smartphone data and functions in the first place. VPN and privacy apps can also increase individual security by encrypting online activities and protecting data from unauthorised access. Some Android manufacturers offer security add-ons that allow apps to access only specifically authorised information on the phone. However, these functions must be adapted manually or used at all. There is still the risk of imprudently granting access rights if the application does not function properly or the restrictions lead to a great loss of comfort.

Secure business devices and corporate information centrally

Mobile Device Management (MDM) is a proven and simple solution to implement company policies on mobile service devices and to control access to company data. IT administration has the monitoring of the devices, including updates and patches, as well as the control of which apps are allowed, centrally under its control.

Suitable MDM systems also make it possible to set up different configuration profiles, remotely delete the device in case of loss and strictly separate professional and private data. Companies can thus drastically reduce the cyber risks posed by mobile devices and decide individually how to deal with critically viewed apps.