WSJ: TikTok used a loophole to track MAC addresses on Android

Google blocks third-party apps from reading the ID, but TikTok went around the protections.

Sponsored Links

Richard Lawler
August 11, 2020 8:13 PM
TikTok closeup logo displayed on a phone screen, smartphone and keyboard are seen in this multiple exposure illustration. Tik Tok is a Chinese video-sharing social networking service owned by a Beijing based internet technology company, ByteDance.  It is used to create short dance, lip-sync, comedy and talent videos. ByteDance launched TikTok app for iOS and Android in 2017 and earlier in September 2016 Douyin fror the market in China. TikTok became the most downloaded app in the US in October 2018. President of the USA Donald Trump is threatening and planning to ban the popular video sharing app TikTok from the US because of the security risk. Thessaloniki, Greece - August 1, 2020 (Photo by Nicolas Economou/NurPhoto via Getty Images)
NurPhoto via Getty Images

The future of TikTok is still up in the air as it’s treated as an acquisition target and security risk all at once, and now the Wall Street Journal is reporting a detail on the kind of information it had been tracking about users. Their analysis of its Android app dug into several versions from 2018 through 2020, and said it “wasn’t collecting an unusual amount of information for a mobile app.”

However the outlier is that until late last year, TikTok used a known security flaw to get around Android protections that stop apps from tracking users via the MAC address of their device. That code identifies a device on a network and is usually not changed, so someone could track installations across different accounts that occur on the same device to link a person’s ID to a particular piece of hardware.

As the WSJ explains, Google presents an anonymized advertising ID that users can easily reset, as opposed to the MAC address that doesn’t have the same opt-out capabilities. There are other techniques used for this “ID bridging” that don’t involve the MAC address, and according to their investigation, TikTok removed its tracking with an update on November 18th of last year. In a statement, the company said “the current version of TikTok does not collect MAC addresses.”

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

Tying user identities to hardware in a way that’s tough to change — particularly without notifying them of it — is troubling, and mobile platforms aren’t the only place where it’s popped up. Last year researchers detailed how makers of TV apps on Fire TV and Roku were bypassing advertiser IDs to collect the MAC addresses on devices, and Roku updated its software shortly after to take away that capability.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
WSJ: TikTok used a loophole to track MAC addresses on Android