• Home
  • Apps
  • Apps News
  • TikTok Used a Loophole to Collect Device Identifiers on Android for Over a Year: Report

TikTok Used a Loophole to Collect Device Identifiers on Android for Over a Year: Report

The tactic used by TikTok for collecting MAC addresses of Android users appears to have violated Google policies.

TikTok Used a Loophole to Collect Device Identifiers on Android for Over a Year: Report

TikTok said to have fixed the issue through an update released on November 18

  • TikTok leveraged a flaw in Android to access MAC addresses from devices
  • Google restricted app developers from collecting MAC addresses
  • TikTok reportedly used a workaround to overcome Google’s restrictions

TikTok's Android app reportedly collected unique identifiers from millions of mobile devices for at least 15 months, ending with the release of an update in November last year. The unique identifiers that the short-video app collected, called media access control (MAC) address, are mainly used for serving personalised ads. The latest revelation comes just days after US President Donald Trump passed an executive order to ban TikTok in the country. The app is alleged to help the Communist Party in China keep an eye on the US government.

The tactic used by TikTok for collecting MAC addresses of Android users appears to have violated Google policies, reports The Wall Street Journal. The platform owned by Chinese Internet company ByteDance is said to have ended the practice through an update released on November 18.

Back in 2013, Apple prevented third-party app developers from collecting MAC addresses of iPhone users. Google followed that suit in 2015 and restricted Android apps available on Google Play from collecting “personally-identifiable information or associated with any persistent device identifier” including MAC addresses and IMEI numbers. However, TikTok reportedly bypassed Google's restriction by using a workaround that was deployed through a “more circuitous route.”

The Wall Street Journal found through an investigation that TikTok bundled the MAC addresses it collected from Android devices with other device data and sent it to ByteDance when the app was first installed - just after a user accesses it for the first time. The other device data is said to include a 32-digit advertising ID that allows advertisers to understand user behaviour without providing any personal details of the users. Nevertheless, users can reset the advertising ID from their devices that is unlike the case of the MAC address, which can't be reset even if the hardware is formatted.

A study cited in the report revealed that in 2018, nearly 350 popular Internet-driven apps on Google Play had used the Android loophole that was leveraged by TikTok. A researcher has also been quoted in the report saying the flaw was widely known but yet to be fixed by Google. However, Google didn't provide any comment on the matter when reached out by the publication.

The MAC address could be used by advertisers and third-party analytics firms to track consumer behaviour persistently as it can't be altered or reset. However, the report by The Wall Street Journal notes that TikTok stored most of the user data it transmitted in an “extra layer of custom encryption.”

A TikTok spokesperson said that the current version of its app doesn't collect MAC addresses. “Like our peers, we constantly update our app to keep up with evolving security challenges,” the spokesperson said.

The timing of the fresh discovery is quite interesting as the Indian government banned TikTok in late June and the US is also following that move. The executive order passed by the US President last week could cut it off from both Apple App Store and Google Play as well as make advertising on the platform illegal. At the same time, companies including Microsoft are showing interest in acquiring TikTok global operations to utilise its distinct presence in the market.

In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.


For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: TikTok Android, TikTok
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a senior reporter for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
MIUI 12 Update for Mi 10, Select Redmi Note Phones to Roll Out Starting August: Xiaomi

Related Stories

Share on Facebook Tweet Snapchat Share Reddit Comment



© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on JioSaavn.com