TikTok Used Privacy Loophole to Track Android Users’ Data

Google limits how Android apps track users, and it appears that TikTok violated this policy by collecting unique identifiers — called MAC addresses — from millions of mobile devices. In fact, TikTok seemed to have concealed this action via an added layer of encryption. TikTok, which has publicly declared it doesn’t share data with the Chinese government, ended the collection of MAC addresses in November. An AppCensus 2018 analysis found that about 1 percent of Android apps collect MAC addresses.

The Wall Street Journal researchers discovered this TikTok practice, and its end in November, when ByteDance was under increasing U.S. government scrutiny.

MAC addresses are unique 12-digit “media access control” numbers found in mobile devices and “all Internet-ready electronics.” Because it can’t be reset or altered, the MAC address is useful to app developers and third-party analytics firms that “build profiles of consumer behavior that persist through any privacy measure short of the owner getting a new phone.”

Based on WSJ findings, Google is now investigating “the loophole allowing some apps to collect MAC addresses.”

The Federal Trade Commission considers MAC addresses as “personally identifiable information under the Children’s Online Privacy Protection Act.” “It’s a way of enabling long-term tracking of users without any ability to opt-out,” said AppCensus co-founder Joel Reardon, a University of Calgary assistant professor. “I don’t see another reason to collect it.”

To stop third-parties from accessing MAC addresses, Apple locked them down in iPhones in 2013 and “Google  did the same two years later in Android.” But TikTok was able to construct a workaround via a “security hole” that, says WSJ, “is widely known, if seldom used.” Reardon had “filed a formal bug report about the issue with Google last June” and was shocked to find that it was “still exploitable.”

In addition to MAC addresses, TikTok sent the 32-digit device’s advertising ID to ByteDance “when the app was first installed and opened on a new device.” Users can reset the advertising ID, similar to clearing cookies, and “Google’s Play Store policies warn developers that the ‘advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier’ … without explicit consent of the user’.”

Google also forbids “ID bridging,” which allows a company such as ByteDance to use the MAC address to “connect the old advertising ID to a new one.” “Your ability to start with a clean slate is lost,” explained Reardon.

AppCensus, however, said that “ID bridging is fairly widespread … but it seldom involves the MAC address.” Further, it studied 25,152 popular Android apps in 2018 and found that “only 347, or 1.4 percent, were seen using the Android loophole to send the MAC address … [and] of those, only 90 were also transmitting the built-in Android ID, which changes if the device is reset.”

Senator Josh Hawley (R-Missouri) stated that, given this information, “Google should remove TikTok from its platform.”