An analysis of TikTok’s Android application revealed that it collected unique identifying data allowing the company to track users online.
TikTok is a popular social media app developed by a Chinese company called ByteDance Ltd. The US government is pressuring the company because it collects data from American users and could turn it over to the Chinese government.
While ByteDance denied such allegations, it’s based in China. The only way it can operate there is by adhering to strict laws that could allow the Chinese government to get access.
TikTok operators have long said that they won’t give any data to the authorities, but the fact that the application was gathering MAC addresses of the devices it was running on makes it difficult to believe them.
Android doesn’t usually allow apps to gather such data, but it turns out there’s a loophole in the security systems, used by TikTok, that allows around 1% of the Android space’s apps to collect MAC addresses. According to the investigation spearheaded by The WallStreet Journal, Google said it was investigating the situation, but didn’t elaborate further.
Any device connected to the internet has a MAC address, and it’s a unique identifier. That address remains the same, and it’s likely used in targeted advertisements. But the address can be used to follow a device online, posing a much greater security risk.
While both Apple and Google block apps from reading MAC address, many developers, including TikTok, figured out a way to bypass the security precautions. The investigation revealed that TikTok collected MAC addresses for 15 months, and the practice ended in November 2019.
“TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device,” claims the Wall Street Journal. “That bundle also included the device’s advertising ID, a 32-digit number intended to allow advertisers to track consumer behavior while giving the user some measure of anonymity and control over their information.”
When contacted, ByteDance said “the current version of TikTok does not collect MAC addresses.” The app developers didn’t inform the users of their practice, and there was no possibility to opt-out.