Days after US President Donald Trump said he would ban TikTok from operating in the United States, Microsoft has announced it might purchase the popular short-form video app. 

In a blog post, Microsoft claimed its CEO Satya Nadella had discussed buying TikTok with President Trump. "Microsoft fully appreciates the importance of addressing the President’s concerns. It is committed to acquiring TikTok subject to a complete security review and providing proper economic benefits to the United States, including the United States Treasury. Microsoft will move quickly to pursue discussions with TikTok’s parent company, ByteDance, in a matter of weeks, and in any event completing these discussions no later than September 15, 2020," said the company. 

The new structure, said Microsoft, would build on the experience TikTok users currently love, while adding world-class security, privacy and digital safety protections, serving as the operating model for the service to be built to ensure transparency to users as well as appropriate security oversight by governments in the US, Canada, Australia and New Zealand. 

In addition to other measures, Microsoft says it would ensure that all private data of TikTok's American users is transferred to and remains in the US.  To the extent that any such data is currently stored or backed-up outside the United States, Microsoft would ensure that this data is deleted from servers outside the country after it is transferred, claims the company. 

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, notes, “It is important to note that Microsoft intends to acquire the operating rights of TikTok in the United States, Canada, Australia, and New Zealand but NOT TikTok the company. This raises lots of questions on who will continue to develop TikTok software and will Microsoft create a fork in the code meaning they will create a separate version and maintain it.  I don’t see why Microsoft would keep or maintain any infrastructure in China if it is simply just operating the services.  In the end, this appears to be mostly an economic and data rights issue rather than a national security emergency.  For the majority of TikTok users it simply means a change in where the data is stored, the legal boundaries on access and privacy rights. Microsoft also says they will store data of US citizens in the US, but what does that mean other countries including the UK - where will their data be stored and how will they ensure it is GDPR/CCPA compliant?  Given the recent failure of EU Privacy Shield Microsoft would not be able to serve EU citizens storing that data in the USA without complicating EU GDPR.”

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solution, says: “A ban of TikTok won’t necessarily remove it from everyone’s mobile devices. India banned it and that took TikTok off the Apple App Store and the Google Play Store. This didn’t stop consumers from searching for it on third party app stores and then cybercriminals exploited the situation by publishing fake versions embedded with malware. In addition, it won’t erase TikTok from the tablets and phones of people who already downloaded the device."

Schless adds, "It would be impossible to actively delete TikTok from every device in the United States. Apple in particular has taken a hard-line approach to not allowing the government or law enforcement access to its devices. It would be up to Google, Apple and Microsoft, as the purveyors of the principal mobile operating systems, to enforce a ban and ensure users delete TikTok. A nationwide ban would also open up opportunities for cybercriminals to fill the appetite for TikTok with malicious versions of it. Considering the young user base that TikTok has, it’s natural for consumers of that age to want something more when it’s taken away from them. In India, cybercriminals distributed a fake version of the “TikTok Pro” app via social media, SMS, and messaging platforms within a week of the nation banning the real TikTok app."

Schless points out to recent Lookout research, containing an in-depth analysis of a fake TikTok Pro app distributed in India, which found that it had similar data collection capabilities as the real TikTok app such as access to location, device sensor data, and contacts, but could never be opened. "The fake app was a piece of toll fraud malware. Because it is a smaller file size (2.2 MB) versus the real TikTok app (55.2 MB), it is cheap, fast, and easy for malicious actors to deliver to victims. The threat actor behind fake TikTok Pro app in India was able to build and distribute the app in a very short time frame once the ban went out. This exemplifies how cybercriminals could take advantage of a similar situation in the U.S. and profit from the public’s desire for the app or to steal personal data," says Schless. 

 "Acquiring TikTok could enable Microsoft to gain a successful toehold in social media if they demonstrate they have shored up the security and data collection policies of the platform.  A high-profile acquisition of TikTok may also attract malicious actors. An overhaul of the TikTok’s privacy and security practices could create a temporary state of vulnerability with the app. In order to mitigate the risk of in-app compromise, developers should work with security teams to build security into the app to prevent exploitation at run time," says Schless. "Organizations who have employees with TikTok on their smartphone should make sure employee mobile devices are properly secured from mobile phishing and app-based threats. As we saw with Twitter last week, phone spear phishing of company employees led to a very high-profile cyberattack in which the attacker was able to gain access to admin accounts with privileged access to back-end infrastructure.”