Latest in Gear

Image credit: NurPhoto via Getty Images

WSJ: TikTok used a loophole to track MAC addresses on Android

Google blocks third-party apps from reading the ID, but TikTok went around the protections.
Richard Lawler, @Rjcc
August 11, 2020
2100 Shares
Share
Tweet
Share

Sponsored Links

TikTok closeup logo displayed on a phone screen, smartphone and keyboard are seen in this multiple exposure illustration. Tik Tok is a Chinese video-sharing social networking service owned by a Beijing based internet technology company, ByteDance.  It is used to create short dance, lip-sync, comedy and talent videos. ByteDance launched TikTok app for iOS and Android in 2017 and earlier in September 2016 Douyin fror the market in China. TikTok became the most downloaded app in the US in October 2018. President of the USA Donald Trump is threatening and planning to ban the popular video sharing app TikTok from the US because of the security risk. Thessaloniki, Greece - August 1, 2020 (Photo by Nicolas Economou/NurPhoto via Getty Images)
NurPhoto via Getty Images

The future of TikTok is still up in the air as it’s treated as an acquisition target and security risk all at once, and now the Wall Street Journal is reporting a detail on the kind of information it had been tracking about users. Their analysis of its Android app dug into several versions from 2018 through 2020, and said it “wasn’t collecting an unusual amount of information for a mobile app.”

However the outlier is that until late last year, TikTok used a known security flaw to get around Android protections that stop apps from tracking users via the MAC address of their device. That code identifies a device on a network and is usually not changed, so someone could track installations across different accounts that occur on the same device to link a person’s ID to a particular piece of hardware.

As the WSJ explains, Google presents an anonymized advertising ID that users can easily reset, as opposed to the MAC address that doesn’t have the same opt-out capabilities. There are other techniques used for this “ID bridging” that don’t involve the MAC address, and according to their investigation, TikTok removed its tracking with an update on November 18th of last year. In a statement, the company said “the current version of TikTok does not collect MAC addresses.”

Tying user identities to hardware in a way that’s tough to change — particularly without notifying them of it — is troubling, and mobile platforms aren’t the only place where it’s popped up. Last year researchers detailed how makers of TV apps on Fire TV and Roku were bypassing advertiser IDs to collect the MAC addresses on devices, and Roku updated its software shortly after to take away that capability.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
2100 Shares
Share
Tweet
Share

Popular on Engadget

The Morning After: Amazon's new security camera is also an in-home drone

The Morning After: Amazon's new security camera is also an in-home drone

View
Here's everything Amazon announced at its big hardware event

Here's everything Amazon announced at its big hardware event

View
GameStop will have more $499 PS5s available to pre-order on Friday

GameStop will have more $499 PS5s available to pre-order on Friday

View
Ring made a security drone that flies around inside your home

Ring made a security drone that flies around inside your home

View
Apple is allowing Solo Loop returns without sending back the Watch

Apple is allowing Solo Loop returns without sending back the Watch

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr