• The popular TikTok app has been collecting personally identifiable user data, a new investigation shows.
  • TikTok exploited a still-active loophole that allowed it to bypass Google’s privacy requirements for Android app developers.
  • TikTok accessed MAC addresses on Android for at 15 months and used an additional layer of encryption to hide this collection of data.
  • The TikTok user tracking feature was removed in November, at a time when Google was already aware that apps were exploiting the Android security loophole.

ByteDance and its popular app TikTok have faced intense scrutiny in the US lately, with the Trump administration accusing voicing security concerns about the app. The government shared its fears that the app could collect user data that could then be used by the Chinese government, and told ByteDance to sell its TikTok operations in America. Separately, Trump issued a new executive order that would prevent ByteDance from doing business in the States.

It turns out there is a cause of concern when it comes to user data. TikTok has been collecting sensitive data from Android users up until last November, taking advantage of an Android loophole that other apps use, skirting Google’s privacy rules for Android. It’s not just TikTok at fault for tracking users, as Google had not patched that exploit even though it knew about its existence.

An investigation from The Wall Street Journal shows that TikTok was collecting the MAC addresses of Android devices, in violation of privacy safeguards that Google has in place for Android.

The MAC addresses are unique identifiers for every device that can connect to the Internet, smartphones included. MACs can be associated with other app data from the same phone and other sources to track users online. Apple stopped making MAC data available to apps in 2013, and Google followed two years later.

TikTok said earlier this year that its app collects personal data less than Facebook and Google. At the time, it wasn’t known the app was tracking users via MAC data. A company spokesperson told The Journal that “the current version of TikTok does not collect MAC addresses.” The harm may already be done, however.

TikTok used a workaround to bypass Google’s MAC collection restrictions in Android, the report notes, and then it hid its actions under a supplementary layer of encryption. TikTok’s internet traffic is already encrypted in transmission, which is a common practice for most internet traffic nowadays. However, TikTok added an extra layer of custom encryption that served no security purpose other than to hide the fact that MAC addresses were collected.

The way TikTok collected user data allowed for perpetual user-tracking:

TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device. That bundle also included the device’s advertising ID, a 32-digit number intended to allow advertisers to track consumer behavior while giving the user some measure of anonymity and control over their information.

That advertising ID can be reset, but if someone has access to the MAC information, they could just pair the new advertising ID with the MAC address. The only way to get out of this would be changing phones and removing TikTok.

TikTok collected MAC data for 15 months before the feature was removed.

Google shares the blame here, considering The Journal’s findings. TikTok wasn’t the only app abusing the loophole. The security hole is widely known, Joel Reardon told the paper. Reardon is an assistant professor at the University of Calgary and the co-founder of AppCensus. The company looked at 25,152 popular Android apps in 2018 and found that 347 of them were accessing MAC addresses.

Reardon filed a formal bug report about the issue last June, as he discovered the latest version of Android did not fix the problem. “I was shocked that it was still exploitable,” he said, adding that Google told him it had a similar report on file at the time he filed his finding. Google confirmed to The Journal is investigating TikTok’s collection of MAC addresses but declined on commenting about the security loophole.

Microsoft, which has shown interest in purchasing the US portion of TikTop, also declined to comment on whether it knew about TikTok’s data collection.
On a different note, this whole security issue shows that if there’s any sort of loophole in an operating system, those who will find it can abuse it. Replace loophole with encryption backdoor, and you get the same result, albeit with a lot more serious consequences.

The full WSJ investigation is worth a full read, and it’s available at this link.

Chris Smith started writing about gadgets as a hobby, and before he knew it he was sharing his views on tech stuff with readers around the world. Whenever he's not writing about gadgets he miserably fails to stay away from them, although he desperately tries. But that's not necessarily a bad thing.