At the start of this month, President Trump announced that the US would “close down” TikTok on September 15 unless it was acquired. Data privacy and security concerns have always shrouded the app, and a new report reveals one particular loophole that TikTok exploited on Android to collect MAC addresses.
The today detailed how TikTok for Android “collected MAC addresses for at least 15 months, ending with an update released Nov. 18 of last year.”
In 2015, Google prohibited Android apps distributed through the Play Store from connecting “personally-identifiable information or associated with any persistent device identifier.” This includes MAC addresses and IMEIs.
However, TikTok leveraged a workaround that the describes as being “circuitous.” That identifier, a device’s advertising ID, and other data are sent to ByteDance the first time you open the app — before users can provide any consent. While the ad ID can be reset, there’s no real benefit if any new ones can be associated with an existing MAC address.
The MAC address is useful to advertising-driven apps because it can’t be reset or altered, allowing app makers and third-party analytics firms to build profiles of consumer behavior that persist through any privacy measure short of the owner getting a new phone.
Meanwhile, TikTok also leverages an “unusual added layer of encryption” to conceal collected data. Researchers quoted in today’s piece say there is no real security benefit. Rather, this practice makes it difficult for third-parties to examine what information is being transmitted and whether the social media app is following its stated privacy policy.
The company said that the “current version of TikTok does not collect MAC addresses” but otherwise did not comment on its past practices. Meanwhile, Google said it’s examining today’s report.
Author: Abner Li.
Source: 9TO5Google