
U.S. Navy bans TikTok from government-issued mobile devices - swat535
https://www.reuters.com/article/us-usa-tiktok-navy/u-s-navy-bans-tiktok-from-government-issued-mobile-devices-idUSKBN1YO2HU
======
40four
After reading this post a couple weeks ago
([https://news.ycombinator.com/item?id=21725139](https://news.ycombinator.com/item?id=21725139)),
banning the app sounds like a good idea. I’m no expert on security, but the
situation regarding Tik Tok’s practices sounds really bad.

~~~
anaphor
As soon as I heard about it, I knew right away that they would have some shady
practices around how they handle user data. You don't grow that quickly
without not having robust data protection safeguards/policies, let alone being
run by a company in a jurisdiction not known for their robust data protection
laws (to put it nicely).

------
angry_octet
Doesn't matter, they have it on their personal phone.

App security is so bad that you pretty much need to virtualize the phone and
feed it fake sensor data. The whole idea of unrestricted network access is
stupid.

~~~
SpicyLemonZest
> App security is so bad that you pretty much need to virtualize the phone and
> feed it fake sensor data.

Yeah, this is really bizarre to me. I was trying to check on volume levels
through walls in my apartment, so I wanted to find some random decibel
measuring app and lock it down so I don't have to worry too much about
trusting it. But somehow Apple's permission model, which provides a whole pile
of privilege switches _including mobile data_ , has no way to completely
revoke Internet privileges for an app.

~~~
manwe150
Honest question: but what’s the threat model for wanting an OS to block this?
I’ve so far only thought of leaking IP address and Bitcoin mining. But any
website already easily has both capabilities (with somewhat arbitrary open
sockets after the WebSockets handshake). Is the expectation that an app
implementation should have less permissions than an equivalent website and so
be the “safer” option?

~~~
SpicyLemonZest
I want to ensure that the app is just locally computing the decibel level,
rather than streaming out data about what it's hearing.

I would ideally want websites to also have a "no more network access after
your initial load" mode, but as you say that's fundamentally incompatible with
modern web development. So I kinda just accept the loss there.

------
kccqzy
I'm surprised there's even a blacklist of apps for work phones. Shouldn't
there be a whitelist instead?

~~~
Diesel555
That is how it actually works. There is an approved app App Store. You have to
go through a whole process to get it approved (I've tried). What the article
really means to say is it that it's been removed from among the approved apps.

------
Operyl
Since I’ve seen this asked elsewhere:

There is a legitimate usage for these kinds of apps on some devices. Armed
services recruiters tend to use various social media apps to communicate with
people they are trying to recruit.

~~~
NullPrefix
Security researchers have a legitimate use of computer viruses. Behavioural
analysis or whatever else.

Does your grandma have the same legitimate use case?

~~~
Operyl
I do not quite see that as a fair or valid comparison. Recruiters are trying
to target 18 year olds, and the reality is a lot of these 18 year olds
(outside of the tech field) prefer to use Snapchat, Facebook, etc to
communicate. They’re not using these apps to communicate classified
information.

~~~
NullPrefix
My point is that the Navy has roles other than Recruiter.

------
aritmo
I have watched hundreds of TikTok videos. The adults featured on the videos
are less than 5%.

~~~
charlesju
I think it's probably more for security reasons -- ie. they can be passing a
dot map of all the Navy personnel around the world and their traveling
patterns to the Chinese government.

~~~
vesche
Related (fitbit/strava leaking overseas military base layouts):

[https://www.theguardian.com/world/2018/jan/28/fitness-
tracki...](https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-
gives-away-location-of-secret-us-army-bases)

------
m0zg
It's absurd that _any_ non-sanctioned software was ever allowed on US Navy
phones, let alone apps developed by a major adversary known for pervasive
metadata collection. WTF kind of total and utter incompetence is this? Sounds
to me like a major house cleaning is needed.

------
noobermin
How many gov-isssued phones have TikTok? Instagram? If they want to make posts
on official accounts shouldn't they do it in a more secure way anyway?

------
stjohnswarts
This is the right thing to do, but they need to do a lot more.

------
theklub
It took that long? Seems like they should have all apps banned and then
approve the handful they want

------
cm2187
What sort of vetting does Microsoft do on drivers written by manufacturers
that ship with Windows?

~~~
wyldfire
Traditionally they have done testing for WHQL certification. It may make sense
for them to do analysis or reversing in order to raise the bar. Or maybe
change the design of the NT kernel to isolate device drivers better.

~~~
cm2187
Does that do anything to uncover backdoors? Particularly if they have all the
appearance of a bug.

------
rolltiide
and then a Chinese company buys an American app that already has all the data

~~~
thrower123
By now, I'd be relatively certain that all but the absolute blackest sites are
mapped comprehensively with publicly available app data.

~~~
rolltiide
An American financial service that I had multiple accounts with was just
bought by a Chinese organization. There was nothing obscure about the service
nor was there publicly available data about my accounts.

~~~
technofiend
I'd say buying Experian is the nightmare scenario but all that data has
already leaked. So maybe buying a major US bank like Wells Fargo is the way to
go if someone wants more detailed data about American spending habits. I'm
sure it's why Google's Project Cache is extending their reach to banking in
2020.

------
Priem19
Perhaps I should sell the U.S. Navy on my website
[https://www.quitfacebook.org](https://www.quitfacebook.org).

------
nvr219
Why was it ever allowed on these devices in the first place?

------
Trias11
Why's "ban" needed?

Government should have full control over government issued devices and only
whitelisted modifications should be allowed.

If it's not this way - someone at government should be held accountable for
jeopardizing the security of the nation.

~~~
kova12
Because employees feel that they deserve to use Facebook and such on their
government issued devices, and if you deny them their God given right, you are
racist, sexist, and otherwise despicable person

~~~
braythwayt
> Because employees feel that they deserve to use Facebook and such on their
> government issued devices

True, and contributes to the discussion by pointing out that morale is a
tricky thing.

> if you deny them their God given right, you are racist, sexist, and
> otherwise despicable person

This is _at best_ hyperbole. It has no insights, adds nothing of intellectual
interest to the conversation, and falsely equates "I'm not getting what I
want" with "Accusing other people of being racist and/or sexist."

That last bit is not only way off-topic for this, but it's an ugly and false
smear that drags the level of conversation into the mud.

------
dwmcqueen
I first read this as banning Twitter from all government devices and thought
it was an early Christmas present for America.

------
diminish
Now the world will see Google & Facebook & Apple as security threats.

~~~
freeflight
Don't forget MS. Took German privacy regulators until recently, more than 3
years after the release of Windows 10, to notice that the thing is phoning
encrypted data home even after disabling as much of that stuff as possible.

Their final conclusion is that using Windows 10, in a data privacy-compliant
way, is only possible with a "rest risk" [0]. Too bad that by now Windows 10
is not just in wide use among businesses, but also the de facto government OS,
most of these installations running default settings.

Same deal with Intel's ME: The German Federal Office for Information Security,
a bit like the IT department for the government, rated Intel ME's risk as high
early 2018 [1]. Yet no actual consequences besides that release, government
systems still running Windows 10 on Intel platforms.

So while a lot of the threats are known and acknowledged, nobody seems to
really act on these findings.

[0]
[https://www.heise.de/newsticker/meldung/Datenschutzkonferenz...](https://www.heise.de/newsticker/meldung/Datenschutzkonferenz-
Hohe-Huerden-fuer-den-Einsatz-von-Windows-10-4584678.html)

[1]
[https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2018/...](https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2018/01/warnmeldung_cb-k17-2012_update_1.html)

------
Phylter
They need to ban Chinese anything from US government anything.

~~~
dang
Please don't post unsubstantive comments here, and certainly not nationalistic
flamebait. We don't need yet another nationalistic flamewar.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
pbhjpbhj
I'm not sure that's fair. To me GP comes over as jingoistic nationalism, but
it also seems to have a substantive basis - the idea that foreign nations
should be ejected at all levels from a governments internal systems?

I'd really like to ask "should other nations eject all USA companies products
from their governmental systems too?" (because I'm really curious how an
apparent ultra-nationalist sees that?), but you've decided we can't explore
that avenue.

Sure, if things get perjorative cut it off, but conversations here tend to
have a higher standard of discourse and excluding anything that might get
touchy , IMO, unnecessarily limits the topics we can [usefully!] address here.

We can't learn to understand one another if we're afraid to enter discourse on
the tricky topics. Yes, there are other places, but this is special here
somehow; I think we, HN, as a community can explore these ideas intelligently
and maturely with perhaps a slightly lighter tiller.

~~~
grzm
A key difference between your comment here and the one 'dang is responding to
is that yours is conducive to continuing such a conversation in a constructive
manner and the latter is not. I find that's very important in engendering the
kind of environment you're striving for. That's how I read 'dang's
admonishment: it's unsubstantive and flamebait because it doesn't provide much
leverage to continue a meaningful conversation and rather encourages knee-
jerk, similarly unsubstantive comments (as you've noted in describing it as
coming across as "jingoistic nationalism").

(I'll leave this now as continuing a meta-discussion is something these
threads often need less of, and I don't have a lot to add beyond this.)

------
dmix
Just what the Navy needs, more hyper bureaucracy for some weak attempt at
security.

~~~
noja
Hyper bureaucracy? It's a whitelist for trusted apps on a government device.

~~~
dmix
One off bans makes more sense, a whole unit set up to pre-approve millions of
potential apps is crazy-town.

Then they use Google Chrome and hit a phishing-hole site and get their phone
owned. But don't worry, they weren't allowed to install Netflix!

The problem here is open-source intelligence because TikTok is very popular
among young members who spend all their free time in their bunk on their
phone. Limiting the apps _might_ help with that, but I'm highly skeptical.
There's already plenty of restrictions on social media use for armed-forces
members. I believe that path is the way to go - create restrictions on posting
personal information.

Having some paper pusher unit pre-approving millions of potential apps sounds
like a giant waste of time. It makes a lot more sense to react to bad stuff
(like one-off reactions for a massively popular video sharing app with sketchy
Chinese ownership) than pre-emptively ban everything, simply because it won't
do much for security beyond what Apple and Google are already doing in the app
store.

~~~
noja
So because it adds a layer of security rather than 100% watertight perfection,
it is bad?

~~~
dmix
Explain to me how it's useful for security? Because I can guarantee you it
will be a giant time-and-money waster with plenty of arbitrary rules that do
nothing for security.

There's millions of apps and tons come out every year. This nation-wide 'unit'
will have to be constantly 'measuring them for security'. This isn't going to
accomplish much of anything.

Either have a secure phone with pre-installed apps (ie, just a browser plus
encrypted phone/messenger, military mapping tools, etc) and let them install
nothing (which means they'll just use their private phone any way for the
OPSEC fail stuff). Or let them do whatever and selectively ban the ones like
TikTok which are _massive_ surveillance potential just based on its popularity
alone. These one-off or watching for bad-stuff and react approach makes far
more sense to me.

~~~
noja
They have identified TikTok as a threat, and so they have removed that threat.

~~~
dmix
Yes and I'm advocating to continue taking that one-off approach instead of
making some "ministry of apps" in the Navy to pre-approve every one of them.

------
aritmo
This is silly. Do they allow any other social networking apps at all on
government-issued phones?

edit: tik tok makes sense for recruiting, and apparently it is currently used
in the UK.

~~~
ngold
It would be hilariously tragic if a major government official used twitter for
communication.

~~~
doublement
I think they all do now. You have to engage with people where the people are.

~~~
snakeboy
I think it was a Trump joke.

~~~
doublement
I know that was the intent, but the reality is that eschewing Twitter gains a
politician nothing, and costs them an audience.

------
rshnotsecure
Not surprising. For several days now TikTok has left the information of 700
million of their users available via an open S3 bucket. It is online now at
this very moment and includes IDFAs from Apple as well as interestingly,
although I bet American companies do this to, the MAC Addresses. This is
significant because my understanding is that Apple rotates / randomizes the
MAC address because those can be used to, quite effectively, track individuals
anywhere in the world (I would say it is better than GPS often at this point,
especially indoors). Storage is cheap so maybe everyone stores them these
days, or perhaps someone has found how to guess the rotation pattern
(completely unproven theory that is likely wrong but only thing I can think
of).

The coverage that Skyhook claims to have for instance is extraordinary
considering this is totally reliant on Wifi points and cell towers:
[https://www.skyhook.com/Coverage-Map](https://www.skyhook.com/Coverage-Map)

~~~
brobinson
Source? Also, will you post a source for your claim that ProtonMail is
compromised? (I remember your username from a thread a few weeks ago)

~~~
rshnotsecure
Compromised and front company are different things I want to emphasize.
ProtonMail hasn’t been hacked, it is a deceptive (and smart) company. So again
want to make that distinction. For instance,
[https://joesdatacenter.com](https://joesdatacenter.com) and
[https://datacenterwest.com](https://datacenterwest.com) are front companies.
On the other hand, Facebook is just a kind of sad company that has been
compromised obviously many times but isn’t a front company and I very much
believe Mark Zuckerberg established it with the best of intentions.

Well I posted Part 1 of Credit Karma stuff please look at
[https://blog.12security.com](https://blog.12security.com)

~~~
jc__denton
Can you explain or cite sources for how Joe's is a front company?

