Trump's WeChat and TikTok App Store Bans Are a Cybersecurity Nightmare

Illustration for article titled Trumps WeChat and TikTok App Store Bans Are a Cybersecurity Nightmare
Photo: Drew Angerer (Getty Images)

The Trump administration has barely even bothered to back up its case that its use of emergency powers to strong-arm Beijing-based ByteDance into selling TikTok’s U.S. operations to an American company is based on cybersecurity concerns. It’s actually setting the stage for a meltdown of its own making.

Advertisement

While the White House officially cited cybersecurity concerns when it threatened TikTok and Chinese conglomerate Tencent’s WeChat with bans earlier this year, its rhetoric has made it obvious that they’re more interested in coming off as tough on China and its ruling Communist Party and the coerced TikTok sale is an opportunity for a lucrative shakedown. The administration’s latest move, an announcement on Friday that U.S. app stores must cease hosting TikTok or WeChat in the coming weeks, makes that crystal clear.

The U.S. Commerce Department, which chairs the committee on foreign investment that will determine whether a deal will go through, said that as of Sept. 20, venues like Google’s Play Store or Apple’s App Store must cease distributing TikTok or WeChat, as well as suspend any payment processing via the latter app. On Sept. 20, web hosts, content delivery networks, and other service providers will be ordered to stop providing “functioning or optimization” to WeChat. The same measures will kick in on Nov. 20 for TikTok—an unpopular decision for the app’s 100 million estimated U.S. users, but one that conveniently kicks in after the presidential election—unless ByteDance sells off a majority stake in TikTok to a U.S. firm or reaches another arrangement that satisfies the Commerce Department. Trump-allied enterprise firm Oracle appears close to clinching such a deal, but whether it’s actually bargaining for majority U.S. control or settling for something less is unclear, and the ban could be a sign the White House is dissatisfied with the results.

Advertisement

The new prohibitions on Apple, Google, and other U.S. app stores won’t just prevent new users from downloading either app, they will actively undermine security by preventing developers from fixing vulnerabilities. If TikTok contains any bugs known to criminals now or discovered by them later, American users will be prevented from downloading security patches from Google Play or the App Store, exposing their private information and their phones to compromise by hackers.

This would be a situation functionally equivalent to what’s known as a zero-day exploit—a situation in which a malicious actor discovers a vulnerability before the developer has a chance to patch it out. In this case it wouldn’t matter if TikTok developers found out about the bug before an exploit is utilized, because they wouldn’t be able to fix it unless the ban was lifted. It will also force anyone looking to download TikTok or WeChat towards alternate, riskier methods like jailbreaking devices and sideloading apps from third-party repositories that may be fronts for malware.

“Allowing users to retain use of the app, and keep it installed, while cutting off access to security updates is incredibly irresponsible and dangerous—likely creating a larger security problem than this action is trying to avoid,” Topher Tebow, cybersecurity analyst at Acronis, told Gizmodo. “Without security updates, any new vulnerability becomes a well-known way to attack American citizens, creating a huge opportunity for any malicious actor, from basic script kiddies to nation state attackers.”

Exposing TikTok’s 100 million estimated monthly active users in the U.S. to this risk is equal to, if not greater than, the security threat the White House has used to justify the ban: the theoretical possibility Chinese intelligence agencies could order ByteDance to hand over U.S. user data. TikTok does collect a lot of data, but similar practices are rampant across the web, and as Gizmodo has reported, Chinese spies could obtain similar and even more granular data by simply purchasing, scraping it, or intercepting it while it’s bouncing around the worldwide adtech network.

Advertisement

Obsidian Security tech chief Ben Johnson, a former National Security Agency engineer, warned that the internet had created a globally connected world but is now reaching a stage of “fragmentation and compartmentalization.” Johnson pointed to restrictions around Chinese apps and the introduction of tighter privacy laws in regions like Europe.

“Online technologies, data sharing, and how we use our smart devices day to day will continue to look different depending on where you are in the world,” Johnson wrote to Gizmodo.

Advertisement

“With the recent TikTok and WeChat restrictions, the primary security concern at the individual level will be the unavailability of security upgrades thus creating an even more vulnerable population of consumer smart devices,” Johnson added. “Until this all plays out, it is best to have a better grasp of the applications you are using and more importantly, why you need them.”

This is all on top of other massive red flags on how the White House has handled the TikTok and WeChat bans. Those include Trump’s blatantly illegal attempt to extort “very significant” payments from TikTok’s eventual purchaser, the completely arbitrary process that led to Trump allies at Oracle closing in on a deal that doesn’t come close to meeting the terms of Trump’s original directives, and the innumerable prior examples of the White House abusing emergency powers for nakedly partisan aims. The Department of Justice has also failed to explain why it’s not touching other Tencent apps with tens of millions of users in the U.S.

Advertisement

“This order violates the First Amendment rights of people in the United States by restricting their ability to communicate and conduct important transactions on the two social media platform,”ACLU National Security Project director Hina Shamsi wrote to Gizmodo. ”The order also harms the privacy and security of millions of existing TikTok and WeChat users in the United States by blocking software updates, which can fix vulnerabilities and make the apps more secure.”

“In implementing President Trump’s abuse of emergency powers, [Commerce Secretary Wilbur Ross] is undermining our rights and our security,” Shamsi added. “To truly address privacy concerns raised by social media platforms, Congress should enact comprehensive surveillance reform and strong consumer data privacy legislation.”

Advertisement

Senior Reporter, Privacy & Security

"... An upperclassman who had been researching terrorist groups online." - Washington Post

Share This Story

Get our newsletter

DISCUSSION

While I do absolutely think the US needs laws similar to the EU’s GDPR (which requires that local data remain local, among other protections), I don’t see how this order is actually legal or constitutional in any way, shape, or form. Even if the company absolutely is shipping American data to the CCP (and it is), you can’t just cite “xxx concerns” to justify illegal or unconstitutional actions. There are proper legal processes to fix this sort of thing.

So how about we do this the right way and pass some GDPR-style consumer protections in the US, and use that to punish violations properly?