Skip to main content


You are here:

TikTok bans are a long overdue wakeup call for mobile security

On the surface, TikTok is a popular video sharing app where cool kids gather virtually to share the latest viral content, from dance videos to memes and challenges. It is as seemingly trivial as a socially enabled app can be. Yet, after the Canadian government’s decision to ban the app on all federal employee devices, businesses everywhere must ask themselves a simple question: should their employees be allowed to use TikTok on their company devices? Or, should they follow the government’s lead and issue their own removal notice?


The Canadian move echoes similar moves in recent weeks by the U.S. government, the European Union, and at least half of all American states. It falls short of a full-on national ban, however such legislation has been proposed in the U.S. Nevertheless, this marks a serious foreign policy rebuke from Canada to China.

The growing global turbulence around TikTok reinforces the disparity between its populist perception as a non-threatening app, and accusations that it represents a major security threat on a personal, organizational, and national level. If we were talking about any other app, it would be a no-brainer: delete it outright and get on with our lives. But TikTok has become Gen Z’s de facto digital gathering place. Kicking its algorithmically fed habit won’t be as easy as simply quitting the platform, and the ripple effects could have a far-reaching economic impact.


While this particular action by the Canadian government targets this one particular app, on federally issued devices, it really serves as a sobering warning to businesses, as well. More bluntly, if this specific app is worrisome to the feds, then it should be worrisome to everyone else, too. 

In fact, organizations whose employees use mobile devices for work – in essence, all of them – are now on notice that their corporate security could be exposed to unnecessary risk simply because workers decided to watch a viral video, or two, or ten, during their break.

In fairness to TikTok, all apps, particularly social media ones, engage in data harvesting to a certain degree. They all ask for certain accesses and permissions – camera, mic, contacts, location information, etc. – upon installation, ostensibly to feed the multibillion-dollar marketing machine that underpins the digital economy. But most users are too focused on getting on with their day to fully read and appreciate what they’re consenting to, or the privacy implications of that consent.

But TikTok presents two unique concerns for businesses. First, it collects far more data than equivalent social media apps. Second, unlike most American-owned social platforms, TikTok is owned by a Chinese company, ByteDance. And as Chinese companies are all required by Chinese law to hand over data if the Chinese government requests it, it presents the very real risk that an employee’s lunchtime video habit could lead directly to corporate data ending up on a Chinese server and accessed by Chinese government officials. From a cybersecurity standpoint, this is terrifying!

This is no longer about delivering targeted ads to sell us stuff we never asked for. It’s about a foreign government with a troubling human rights track record potentially getting its hands on our organizational secrets.

Now, ByteDance rather vehemently denies end-user data is stored in China. Senior leaders have said data from North American users is stored on servers in the U.S. and in Singapore. They further deny they have any deal with the Chinese government, or that they’ve ever been asked to hand over data. They say if they were asked, they would refuse.

But audio recordings leaked from dozens of internal TikTok meetings last year showed employees in China repeatedly accessed data via a number of backdoors built into the platform.

Should organizations, then, trust that their data isn’t being stored and shared within Chinese borders? No. Should they worry that TikTok-using employees are making it possible at all for the data to be shared in the first place? Absolutely.


To be fair, every app represents a potential source of data leakage. While TikTok’s uniquely data-hungry architecture and the geography of its ownership may raise the stakes, the broader issue – where all apps deserve tighter scrutiny – should rank higher on corporate IT’s radar than it currently does.

Organizations that establish well-understood frameworks around appropriate mobile app usage will stay ahead of this fast-evolving threat. Acceptable use policies should clearly define what can and cannot be installed on an organizationally provided device. Similar frameworks should also be implemented for employee-owned devices that are used to access organizational resources.

Apps should be approved based on a simple ROI basis: if the benefit to the business outweighs the risks and related drawbacks of having apps on the device in the first place, then they deserve to be considered in-scope. Similarly, it may turn out that some roles justify certain apps being installed, while others do not. For example, marketing employees responsible for maintaining an organization’s social media presence may have a legitimate reason to use TikTok. But an accountant who just wants to kill time in between meetings would not. 


Whatever the role or the use case, apps that present a clear a present danger to organizational data integrity need to be identified and carefully managed – if not outright banned. Organizations can rein in some app-related risks by dialing back the security settings on end-user devices. It is almost never an all-or-nothing proposition: most apps will continue to work – albeit somewhat less conveniently – even if data tracking and location awareness are deactivated.

It isn’t realistic to expect over a billion people worldwide to suddenly quit TikTok cold turkey. But the rising tide of restrictive new rules being enacted by governments around the world should give pause to business leaders concerned about the pervasive risks of unchecked app use by their employees.

At the very least, it should spark an initial conversation. As a next step, organizations would do well to start tightening their end-user security profiles as they work to educate employees to the risks these seemingly benign apps present.

In fact, there’s nothing benign about them, and the TikTok controversy should serve as a stark reminder to organizations to start taking cybersecurity a lot more seriously than they have been to-date.

Our STEP Software experts work closely every day with clients to identify risk areas within their software estates, then reliably address any gaps. Reach out if you’d like to discuss your own end-user needs.