September 21, 2020

TikTok tracked Android user data despite Google privacy protections

The practice ended in November, but the news still comes at the worst possible time.

tiktok on android phone

  • TikTok tracked the MAC addresses of Android phones despite Google’s privacy protections.
  • The practice ended in November.
  • The news comes just as the President is threatening a ban on the service for potential spying.

TikTok already faces the threat of a US ban due to concerns about potential Chinese spying, and its latest privacy incident won’t help matters.

The Wall Street Journal has learned that TikTok’s app was tracking the MAC addresses (the hardware identifiers for networked devices) of Android users for at least 15 months despite Google policies and systems forbidding the practice. It reportedly used a well-known “workaround� security hole to get the data as well as an “unusual� extra layer of encryption that masked the approach.

The company didn’t notify TikTok users or give them a choice regarding the data collection. When users first ran the app on a new device, TikTok bundled the MAC data with information including the semi-anonymous advertising ID used to track user behavior. You can reset the advertising ID on a phone, but you can’t change the MAC address.

TikTok ended the tracking with an update on November 18, the WSJ said. TikTok didn’t directly address the claims when the newspaper reached out for comment, but did say the “current version� of its app doesn’t gather MAC addresses.

See also: The best TikTok alternatives and apps for Android

Google said it was investigating both the report’s findings and those of an anonymous Reddit post from April, but it declined to comment on the loophole. AppCensus’ Joel Reardon said he filed a bug report with Google about the hole in June 2019, but the flaw was clearly exploitable past that point.

There’s no mention of similar tracking for iOS users. Both Apple and Google officially banned apps from reading MAC addresses several years ago.

The behavior isn’t unique to TikTok, with AppCensus estimating that about 1.4% of Android apps exploiting the loophole to send the MAC address. The encryption was odd, however, and it wasn’t clear just what TikTok’s intentions were for the data. It also follows just weeks after iOS 14 revealed that TikTok was accessing iPhone clipboards more than necessary.

Both Google and TikTok might have to answer more questions.

The findings come at the worst possible time for TikTok. President Trump and other American politicians are pushing for TikTok to sell itself to a US company over concerns its Chinese parent company ByteDance might ask it to collect sensitive data for surveillance. TikTok has always denied collecting data for China and made a point of distancing itself from ByteDance, but this could easily fuel suspicions even if the data is used only for advertising and other business purposes.

There are already calls for action, too. Senator Josh Hawley, a politician known for criticizing the behavior of internet companies, told the WSJ that Google should pull TikTok from the Play Store due to both breaking the rules and possible violations of child privacy laws. This won’t necessarily lead to legal action beyond the potential ban, but it’s evident that both Google and TikTok might have to answer more questions.