TikTok Collected MAC Addresses on Android to Track User Data Despite Google Ban: Report

TikTok exploited a loophole in Android's Play Store to bundle advertising IDs with MAC addresses without user consent.

TikTok has been in hot water for allegedly collecting user data without consent. Now, a report has claimed that the Chinese-owned social media platform even collected MAC (media access control) IDs from Android users, a practice banned by Google.

As per the Wall Street Journal report, TikTok's Android app collected users' device addresses for 18 months between 2018 and 2019 before issuing an update that stopped collecting the specific data. This was a direct violation of Google's platform rules. Google's Play Store had prohibited collection of MAC addresses in 2015, following Apple's (iOS) footsteps which banned access to device ID in 2013.

But TikTok managed to find a loophole to continue collecting MAC IDs that serves as a unique identifier for an internet-ready device. Thus, collecting the MAC IDs was valuable for targeted advertising and a more invasive way of tracking user data.

TikTok Logo (Representational Picture) Pixabay

Exploiting Google's Loophole

It was a security hole on Google's part but was not often used by apps to avoid a ban by Google. However, around one percent of the apps on Play Store still had access to MAC addresses as per a 2018 report by AppCensus, a mobile app analysis company.

Joel Reardon, Assistant Professor at the University of Calgary and Co-Founder of AppCensus, said he was shocked to know that the loophole was still exploitable and Google's latest version did not close it. "It's a way of enabling long-term tracking of users without any ability to opt-out. I don't see another reason to collect it," Reardon told WSJ, adding that he had filed a formal bug report about the issue in June 2020.

Google says that it is investigating WSJ's claims. When Reardon reported the bug, Google replied saying that it already had a similar bug report present in its file but didn't disclose the specific bug.

Data privacy
Data privacy has been a concern with using TikTok Flickr

Privacy Concerns Once Again

Despite multiple reassurances by TikTok that it does not collect user data and send it to its parent company ByteDance, data privacy concerns have once again come to the fore. During the 15-month period, the investigation found that TikTok bundled the MAC ID with other device data and sent it to ByteDance servers when the app was first installed and opened on a cell phone.

The data also included a 32-digit advertising ID that allows advertisers to track consumer behavior. But the user is still given anonymity and partial control over the information collected. Users can reset the advertising ID that is similar to clearing cookies on a web browser.

However, combining MAC ID with an advertising ID prevents users from being anonymous. The process, known as ID-bridging, allowed TikTok to connect to the old advertising ID, essentially rendering the rest meaningless as MAC IDs are unchangeable.

"If you uninstall TikTok, reset the ad ID, reinstall TikTok and create a new account, that MAC address will be the same. Your ability to start with a clean slate is lost," said Reardon.

Google in its Play Store policy for developers has prohibited the use. But many mobile apps still continue to do it. As per AppCensus report, out of 25,152 apps analyzed on Android, 347, or around 1.4 percent of the apps — mostly free games — were seen using the loophole to send MAC IDs. Among those apps, 90 of them even collected built-in Android ID.

Google's policy for developers
Google has warned developers not to bridge advertising ID with MAC ID in its policy (highlighted text) Google

"If reset, a new advertising identifier must not be connected to a previous advertising identifier or data derived from a previous advertising identifier without the explicit consent of the user," Google said in its usage of advertising ID for developers.

Trump's Potential Ban on TikTok

While TikTok said that it had updated the app and such practice was stopped, it came at a time when U.S. President Donald Trump is weighing a ban on the app in the country, citing national security concerns.

Trump issued an executive order earlier this month (August 2020) that would force ByteDance to either sell its U.S. business to an American company or face a ban. His order also prohibits ByteDance from making any transactions. The Chinese company has till September 15 to decide with Microsoft and Twitter exploring a buyout. The app is already banned in India where it had a large user base of over 200 million while in the U.S. the number is over 80 million.

Related topics : Cybersecurity