In a monumental first, TikTok is allowing Android users to download and install the app directly from the website.
Totally not a security risk 
1 Like
I mean Iâm not surprised
Epic Games does this too [Warning: cancel the download, the point here is the instructions epic is showing which especially is dangerous if they donât know what the option does]
Quick enable advanced protection mode lol
Why is it a security risk? If you trust the developer, why wouldnât you trust the app distributed by them?
2 Likes
The thing is that like with Epic Games, Sideloading an App requires unblocking your browser or something to install apks.
And most users doing that doesnât know what it does and that may or may not lead them to install malware by idk say some kind of scammer/social engineering at some point
Installing dangerous malware on Android that can escape the sandboxing and bypass the permission control is highly unrealistic for the vast majority of people if they are using a proper Android derivative thatâs also kept up-to-date.
A scenario that is actually realistic and what usually happens is that people just install applications and grant them sensitive permissions that allow apps to spy on them. The accessibility permission is especially dangerous and should only be granted as a last resort if you need it.
4 Likes
nope social engineering and malware forcing the device admin prompts or otherwise allowing the permission for full screen ads etc.
I have seen this happen which i why it is still dangerous. when they dont know what unblocking does.
if itâs like supervised say by tech savvies it is fine but otherwise yeah
If you sideload a random app, get this prompt, read it, and still press activate, then nothing can save you. Everything is very clearly explained.
5 Likes
just like a beginner linux user isnt gonna read all the things that vomits that itâs gonna delete their DE and theyâre still gonna type âYes do as I sayâ because they want to install steam they donât know what the heck else it would do, I expect especially with the social engineering level that people arenât gonna sit and read it.
This is why Iâm saying:
- It is dangerous when the person doesnât know what unblocking does and companies like Epic like Bytedance should encourage people to block it after.
- Malware can persist the device admin prompt or some other prompts, forcing the user to allow it rather than consistently deny it and their phone is over.
3 Likes
get this prompt, read it, and still press activate, then nothing can save you
Whenâs the last time you read a cookie consent prompt? The privacy policy before interacting with a website? The terms of service before ticking that agree box?
Youâre a user on a tech forum. The average user is much less tech literate. I wouldnât be surprised if a lot of people blanket approve any permission request as a form of habit. No matter whoâs fault you believe it is, matter of fact is people have poor security practices and this is exploited by criminals.
⌠people just install applications and grant them sensitive permissions âŚ
Seems like the perfect example for this is the Install unknown apps permission required to sideload apps such as now TikTok?
Besides, there are already social engineering attacks that directly send the malicious executable to the victim through messaging apps (example), and legitimate apps requiring this permission only normalises granting it.
3 Likes
There are also issues like this one where the legitimate installer on the legitimate website is replaced by a malicious one. I believe secure app stores verify the downloaded APK matches what was expected.
1 Like
On Android, this check happens on-device, if thereâs a trust anchor already (ex, the appâs previous version was installed via secure means).
It isnât. Though, sideloaded apps bypass Google Play Protect, but then, thatâs true for F-Droid apps, too.
The only reason I see TikTok advocating its users do this is so theyâre decoupled from Googleâs ban hammer wielded by the US Govt. I remember, sideloading is how WhatsApp navigates/navigated bans forced upon Google by some countries. Hardly nefarious. And not that big of a âsecurityâ breach.
If you own a bike, better learn how to gear up & drive safely. Hardly Googleâs or TikTokâs fault, imo.
3 Likes
Iâll say it I hope for the last time:
Social engineering
On top of users circumventing this way not understanding what it does. I wholeheartedly do encourage indeed ways like this itâs why we have alternative app stores on Android but Bytedance and Epic should seriously guide the users (Considering the audiences itâs going for) to block it again (for their browser they installed on to block not necessarily say Epic or Tiktok for Updates/Installations) Which is why I said that supervised by a tech savvy like me is fine.
1 Like
Gotcha.
Though, âsocial engâ attacks add another human in the loop. I mean, even the all-expensive silicon root-of-trust business wouldnât help. It is an umbrella attack and valid against security posture of most (if not all) software (not just Linux distros or Android, like you singled them out).
Previously:
Signal doesnât defend against someone shoulder surfing you reading your messages ⌠also doesnât try to defend against malware reading your message database ref.
2 Likes
Chinese spyware? No thanks!
At least American spyware has some limitation, though not many. Which really needs to be improved uponâŚ
True, but I am referring to securing the initial install by pinning the certificate to signed repository metadata, as Accrescent does. I thought Google Play Store did this as well, but I canât find anything about it (in general, so maybe Iâm not searching the right things). F-Droid does it too (at least on the server, no clue about the client) by using AllowedAPKSigningKeys in build metadata for reproducible builds (apparently not properly though). This way, the APK canât be replaced by a malicious third party.
In an ideal world, where a user could sideload an app without any impact on future installs and being sure that the app is what they want to install, I would agree there is no security risk. However, side loading an app (in no particular order):
- Does not verify the downloaded app matches the offered/wanted app [1]
- Does affect future installs from any source by normalising granting special permissions
- Does affect future installs from the same source by permanently granting the install permission [2]
While I agree it is debatable how much risk it presents or the tradeoff compared to bypassing bans, I would argue based on the above there is a risk.
It also lacks any curation, download statistics and reviews which you can kinda see as verification but thatâs a separate discussion if this is a benefit or if it is even effective. âŠď¸
If a user attempts to sideload a malicious app while the source does not have the
Install unknown appspermission, the user is blocked and notified that âfor [their] security, [their] phone currently isnât allowed to install unknown apps from this sourceâ. However, if the user has previously granted this permission to install a legitimate app and has not revoked it, this security feature/notification is disabled and not shown. âŠď¸
2 Likes
True.
Back in the day, the Android team, who were all about openness, (rightly, imo) opted not to go down the Web PKI route (pin certs or transparency) to keep app signing & publishing process simpler & decentralised. It is a neat trade-off in that the developer & the user remain in control (over what they install from whom) & still not degrade security by all that much.
1 Like
I am not sure that how many people are interested in downloading it directly from the official website especially after the ban uplifted on it.
Trump decreed an executive stay order on the ban for a limited time period, as he couldnât lift it altogether. Thereâs talk of a BigTech backed consortium or the US Treasury (via soon-to-be formed Sovereign Fund) buying TikTok US.
I would, if I were a Tiktok user. I also download Whatsapp from their website via Obtainium. No need to be completely dependent on Aurora Store continuing to work in the future.
That being said, the overlap of people caring about privacy in tech and using Tiktok is probably quite small.