TikTok has come under scrutiny in recent weeks due to security issues for its allegedly close ties with the Chinese government and for stealing user data and passing it on to China. However, there was no concrete proof of any wrongdoing on TikTok"s part so far. A Wall Street Journal analysis has discovered that TikTok violated Google Play"s guidelines in the past and collected the MAC addresses of Android devices to track users online.
The company used an exploit in Android OS to collect and track the MAC addresses of Android devices. The MAC address is a 12-digit "address" of a mobile device that connects to the internet. MAC addresses are useful for advertisers since they are permanent which allows them to track a device across the internet and build a consumer behavior profile based on that. TikTok collected this data for at least 15 months until an update released on November 18 last year. The app used to automatically send the MAC address along with the device identifier to ByteDance servers when it was first launched on an Android device.
Google Play Store policies forbid apps from collecting "persistent device identifiers" like MAC addresses without explicit user consent. The policy has been into effect since at least 2015. The analysis by WSJ shows that apart from MAC addresses, TikTok was not collecting any unusual amount of user information, and whatever data was collected, they were all disclosed in its privacy policy.
However, the company went to great lengths to hide the collected data by wrapping them in an additional layer of custom encryption. This "obfuscation of this data makes it harder to determine what it’s doing" as per Nathan Good, a researcher at the International Digital Accountability Council. Marc Rogers, VP of cybersecurity strategy at Okta. Inc, believes that TikTok could be doing this to "bypass detection by Apple or Google because if Apple or Google saw them passing those identifiers back they would almost certainly reject the app."
A TikTok spokesperson said that the "current version of TikTok does not collect MAC addresses." WSJ also reached out to Google for a comment which said that is investigating the matter.
Source: Wall Street Journal