> The accusations against the Chinese app TikTok and countless other Chinese apps weigh heavily: The programs are said to siphon off a wealth of information about their users. This is data that has nothing to do with the actual function of the app and for whose collection there is no reasonable justification.
>”In the case of TikTok and the other malware apps, the app is not innocent and is compromised,” says IT security expert Stefan Strobel, “but the developer of the app has built backdoors, spying functions and other things into his app from the start and has also gone to great lengths to ensure that no one notices.”
> The founder and CEO of the IT security company CIROSEC advises German medium-sized companies on IT security. Some of them are active in China themselves. And so Strobel has gained relevant experience with Chinese apps. In his view, the popular Chinese apps TikTok and WeChat are just the tip of the iceberg.
> WeChat is a universal app that combines messaging with payment functions and other social media applications. It is very popular in China, and there is little doubt among IT experts that all the data that flows through it is almost completely captured by the Chinese regime.
Why is the app hiding something from me?
> We’re talking about thousands of often free apps, but also commercial ones. “Again and again, you notice that a lot has been invested there for strange reasons to make it more difficult to analyze the apps,” says IT security expert Strobel. “And if you then go to even more trouble and try to bypass these protective features so that you can even understand how the app was programmed, then you realize that there’s a lot of data being collected, being sent to China. Data that isn’t actually necessary.”
> Many apps appear inconspicuous and harmless at first. Then only a small backdoor is built in. The attacker can use this later. “Even if you look at the app now, and it only does harmless things, then the Chinese manufacturer is often able to extend the functionality at runtime,” Strobel says. “All of a sudden, the app is doing completely different things without that being reloaded from the app store somewhere.”
“It’s not so bad, everyone does it that way” – not true!
> This is in no way comparable to regular live updates, such as those offered by Western software developers to their customers, he said. For example, he said, the runtime updates of the Chinese spy apps should not be compared with updates such as those carried out by Microsoft Office. “With MS Office, I can agree as an end user that an update is applied,” Strobel said. “The Chinese apps do that completely unnoticed by the end user, without them noticing anything that’s being updated – possibly even while they’re working with the app.”
TikTok is an example of how the attackers are very clever. Initially disguised as a harmless gimmick, the app’s data appetite grows with time and success. Only when a large number of users use it does a pull effect develop. “And when the app reaches a coolness status and goes viral, and people say, ‘Hey, you have to have this,’ then at some point the manufacturer can expand the permissions and then the person who installs it has to agree to even more,” the IT expert describes the attackers’ strategy.
> In this way, the list of permissions that the user grants to the app grows. Many users also don’t understand all the things the app asks them to do. If a dialog box appears, they simply agree. And suddenly the app has access to the user’s current location, can query where he or she is at any time, and may have access to contacts and the calendar. Those who want to use the app must then accept this.
No chance with preinstalled spy apps
> It’s not just about apps that you actively download from the app store yourself. Often, the malware is already installed on the smartphone when it is purchased.
Of course they can, just like Facebook can access user data from anyone in the world 🤷
4 comments
What a surprise! OMG who could have imagined?!?
It’s Chinese spyware
https://www.reddit.com/r/privacy/comments/qojbxx/just_a_quick_reminder_that_tiktok_is_spyware_and/
https://dw.com/de/tiktok-wechat-co-wie-kommt-die-spyware-ins-smartphone/a-54648705
> The accusations against the Chinese app TikTok and countless other Chinese apps weigh heavily: The programs are said to siphon off a wealth of information about their users. This is data that has nothing to do with the actual function of the app and for whose collection there is no reasonable justification.
>”In the case of TikTok and the other malware apps, the app is not innocent and is compromised,” says IT security expert Stefan Strobel, “but the developer of the app has built backdoors, spying functions and other things into his app from the start and has also gone to great lengths to ensure that no one notices.”
> The founder and CEO of the IT security company CIROSEC advises German medium-sized companies on IT security. Some of them are active in China themselves. And so Strobel has gained relevant experience with Chinese apps. In his view, the popular Chinese apps TikTok and WeChat are just the tip of the iceberg.
> WeChat is a universal app that combines messaging with payment functions and other social media applications. It is very popular in China, and there is little doubt among IT experts that all the data that flows through it is almost completely captured by the Chinese regime.
Why is the app hiding something from me?
> We’re talking about thousands of often free apps, but also commercial ones. “Again and again, you notice that a lot has been invested there for strange reasons to make it more difficult to analyze the apps,” says IT security expert Strobel. “And if you then go to even more trouble and try to bypass these protective features so that you can even understand how the app was programmed, then you realize that there’s a lot of data being collected, being sent to China. Data that isn’t actually necessary.”
> Many apps appear inconspicuous and harmless at first. Then only a small backdoor is built in. The attacker can use this later. “Even if you look at the app now, and it only does harmless things, then the Chinese manufacturer is often able to extend the functionality at runtime,” Strobel says. “All of a sudden, the app is doing completely different things without that being reloaded from the app store somewhere.”
“It’s not so bad, everyone does it that way” – not true!
> This is in no way comparable to regular live updates, such as those offered by Western software developers to their customers, he said. For example, he said, the runtime updates of the Chinese spy apps should not be compared with updates such as those carried out by Microsoft Office. “With MS Office, I can agree as an end user that an update is applied,” Strobel said. “The Chinese apps do that completely unnoticed by the end user, without them noticing anything that’s being updated – possibly even while they’re working with the app.”
TikTok is an example of how the attackers are very clever. Initially disguised as a harmless gimmick, the app’s data appetite grows with time and success. Only when a large number of users use it does a pull effect develop. “And when the app reaches a coolness status and goes viral, and people say, ‘Hey, you have to have this,’ then at some point the manufacturer can expand the permissions and then the person who installs it has to agree to even more,” the IT expert describes the attackers’ strategy.
> In this way, the list of permissions that the user grants to the app grows. Many users also don’t understand all the things the app asks them to do. If a dialog box appears, they simply agree. And suddenly the app has access to the user’s current location, can query where he or she is at any time, and may have access to contacts and the calendar. Those who want to use the app must then accept this.
No chance with preinstalled spy apps
> It’s not just about apps that you actively download from the app store yourself. Often, the malware is already installed on the smartphone when it is purchased.
Of course they can, just like Facebook can access user data from anyone in the world 🤷