My TikTok Challenge

Published: [2020-08-12 Wed]

What has the world come to? The thought is preposterous! Why would I create a TikTok challenge? Well, it’s not what you think.

The war against software

We live in interesting times. If everything continues status quo, in a few more weeks TikTok, WeChat, and other software applications owned by Chinese companies will be banned in the United States.

It is unclear how such a ban would be enforced. However, the root cause is very clear: there is a growing distrust between the United States government and the People’s Republic of China.

It’s like taking candy from a kid!

Why care about TikTok? If you are a parent, then you might be thankful at the prospect. TikTok runs up your phone bill. “Kids these days!”

If you are a teenager, then you are probably watching an indignant rant on TikTok right now. “How dare you take away my free candy!” But on the off-chance you are the “Breakfast Club” type who swims against the stream and reads this blog, then please bear with me. I have a third option that can make everyone happy. Well, almost everyone.

What will the ban look like?

Hmm… Let me dig out my crystal ball with the “Intel inside” sticker. (Ever since Meltdown, I think it’s been hazier than it used to be.)

As a programmer, I can testify first-hand that installing contraband software is nothing new. I can envision all kinds of “dark net” tutorials about installing TikTok after it becomes contraband software. I can also predict which routes many of the tutorials will take:

  • Download the APK from a shady website and sideload it.
  • Sideload a third-party App Store that lets you install TikTok. (Who knows what nefarious tasks the third-party App Store executes in the background.)
  • Install a proxy client that connects to shady endpoint. Then, install some software that installs TikTok (as well as other spyware for which you did not ask).

Installing contraband software is nothing new. When I was in high school, “jailbroken” iPhones and iPod Touches were the hot things. There were all sorts of tutorials about how to jailbreak a device. Some were legit, and some were not. Once jailbroken you could run software that Apple did not approve, some of which (sadly) were cracked apps.

Further, someone who lacked the tech skills to jailbreak his own device simply payed a tech-savvy friend to jailbreak the device for him. If a baseline of tech talent is required to install a highly demanded application like TikTok, then you can bet an enterprising teenager is going to offer his underground IT services.

And don’t give me the excuse that Android phones by default don’t let you sideload APKs. Disabling that security measure is trivial. Also, don’t give me the excuse that the iPhone won’t let you install unsigned software. I know it’s possible because I did it in high school.

Summary: a ban is going to be ineffective and will open up more attack vectors (third party app stores, undocumented hacks, etc).

My TikTok challenge: show us the source

A hard ban is undesirable from a technical standpoint. So, I propose another way:

Publish the source code of TikTok, WeChat, and all other software in question. Publish both the client and the server source code but keep ownership of the infrastructure and trademarks.

My reasoning: the security and trustworthiness of the applications have been called into question at the level of national security. What we need is a code audit to verify or refute that trust. Publish the source code and let the United States government commission a task force to audit the code (or better yet let the eager security researchers do it for them) and look for obvious signs of malware.

If the sniff test passes, then we can do deeper audits. If there really is malware, then someone will find it eventually. If there isn’t any malware, then US users can keep using TikTok, WeChat, and the like with the knowledge that their data is safe. As a general rule, if you want full transparency then insist on open source software.

Either way, the security researchers will have something to do, the government will have another legitimate excuse to spend money, and most importantly teenagers will have a digital pacifier that keeps them out of trouble.

Of course, I doubt we are going to see any source code at all. The issue is too politicized, and ByteWave would be worried about someone starting a TikTok competitor.

So if you are a tech-savvy teen, then get ready to post your consulting rates on your Instagram feed. Your peers will desire their bread and circuses rather strongly over the next few months.

Source article