TikTok collected Mac Addresses of Android users via a known security loop: WSJ report

TikTok had faced a lot of scrutiny in the past few weeks due to security issues for its alleged ties with the Chinese government. According to the US government, TikTok provides user data to the Chinese government. Till now there was no evidence of TikTok doing what it was alleged. A journalist from Wall Street figured out that TikTok is violating the Google Play’s guidelines and collecting the MAC addresses of Android devices.

TikTok utilized an exploit in the Android OS to track and collect the MAC addresses of the Android addresses. For those who don’t know, MAC is 12 digit address of a mobile device that connects the device to the internet. MAC addresses are useful for the advertiser since they are permanent, which allows them to track a device across the web for building consumer behaviour. TikTok collected the user data for about 15 months until the Android update was released in November. The app used to send the users MAC addresses with the device identifier to ByteDance servers.

TikTok’s team, however, went to great length to conceal the fact of collecting data by covering it under ‘custom encryption’. Nathan Good, a researcher at the International Digital Accountability council, said: “This obfuscation of this data makes it harder to determine what it’s doing. TikTok could be doing this to bypass detection by Apple or Google because if Apple or Google saw them passing those identifiers back they would almost certainly reject the app.”