TikTok Collected MAC Addresses Via Android Vulnerability


The ongoing controversy surrounding TikTok escalated on Thursday, January 14, when the service was accused of spying on millions of Android users using techniques banned by Google.


According to the Wall Street Journal, with a technique disguised using an unusual additional layer of encryption, TikTok bypassed Android's security mechanisms and collected unique identifiers from millions of devices, allowing the service to track users online without giving them any choice. According to the publication, for 15 months TikTok exploited a "loophole" in the mobile OS to collect MAC addresses and stopped this practice in November 2020.


When installing and first opening the app on a device, TikTok sent the MAC address along with other device data to its parent company, ByteDance.


Under the US Children's Online Privacy Protection Act (COPPA), MAC addresses are personally identifiable information. They are unique identifiers found in all smartphones connected to the Internet, including Android and iOS devices. MAC addresses can be used both for targeted advertising and for tracking users and compiling their profile.


As representatives of the service told the Wall Street Journal, "the current version of TikTok does not collect MAC addresses."


Apple iOS blocks third-party services from reading MAC addresses as part of a security feature added in 2013, but Android still has it. The vulnerability was discovered by a security researcher named Reardon, who notified Google about it in June 2020. According to the researcher, he was very surprised that the vulnerability is still present in the latest versions of Android. In response to Reardon's notification, Google said it already has a report on the vulnerability.


Previous Post Next Post