TikTok Used a Loophole to Collect Device Identifiers on Android for Over a Year: Report

TikTok's Android app reportedly collected unique identifiers from millions of mobile devices for at least 15 months, ending with the release of an update in November last year. The unique identifiers that the short-video app collected, called media access control (MAC) address, are mainly used for serving personalised ads. The latest revelation comes just days after US President Donald Trump passed an executive order to ban TikTok in the country. The app is alleged to help the Communist Party in China keep an eye on the US government.

The tactic used by TikTok for collecting MAC addresses of Android users appears to have violated Google policies, reports The Wall Street Journal. The platform owned by Chinese Internet company ByteDance is said to have ended the practice through an update released on November 18.

Back in 2013, Apple prevented third-party app developers from collecting MAC addresses of iPhone users. Google followed that suit in 2015 and restricted Android apps available on Google Play from collecting “personally-identifiable information or associated with any persistent device identifier” including MAC addresses and IMEI numbers. However, TikTok reportedly bypassed Google's restriction by using a workaround that was deployed through a “more circuitous route.”

The Wall Street Journal found through an investigation that TikTok bundled the MAC addresses it collected from Android devices with other device data and sent it to ByteDance when the app was first installed - just after a user accesses it for the first time. The other device data is said to include a 32-digit advertising ID that allows advertisers to understand user behaviour without providing any personal details of the users. Nevertheless, users can reset the advertising ID from their devices that is unlike the case of the MAC address, which can't be reset even if the hardware is formatted.

A study cited in the report revealed that in 2018, nearly 350 popular Internet-driven apps on Google Play had used the Android loophole that was leveraged by TikTok. A researcher has also been quoted in the report saying the flaw was widely known but yet to be fixed by Google. However, Google didn't provide any comment on the matter when reached out by the publication.

The MAC address could be used by advertisers and third-party analytics firms to track consumer behaviour persistently as it can't be altered or reset. However, the report by The Wall Street Journal notes that TikTok stored most of the user data it transmitted in an “extra layer of custom encryption.”

A TikTok spokesperson said that the current version of its app doesn't collect MAC addresses. “Like our peers, we constantly update our app to keep up with evolving security challenges,” the spokesperson said.

The timing of the fresh discovery is quite interesting as the Indian government banned TikTok in late June and the US is also following that move. The executive order passed by the US President last week could cut it off from both Apple App Store and Google Play as well as make advertising on the platform illegal. At the same time, companies including Microsoft are showing interest in acquiring TikTok global operations to utilise its distinct presence in the market.

In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.