Connect with us

Hi, what are you looking for?


Application Security

Report: TikTok Harvested MAC Addresses By Exploiting Android Loophole

The ongoing controversies surrounding TikTok hit a new gear on Thursday with a bombshell report accusing the Chinese company of spying on millions of Android users using a technique banned by Google.

The ongoing controversies surrounding TikTok hit a new gear on Thursday with a bombshell report accusing the Chinese company of spying on millions of Android users using a technique banned by Google.

According to a Wall Street Journal report, TikTok used a banned tactic to bypass the privacy safeguard in Android to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out.

TikTok, based in Beijing, China, has been described as a national security threat in the U.S., and has been in the headline over concerns that data collected by the TikTok app could be used to aid government spying activities.

[ ALSO READ: US Insists on Need to Ban TikTok ]

The Wall Street Journal said TikTok was exploiting a loophole to collect MAC addresses for at least 15 months.   The practice stopped in November 2020. 

MAC addresses are considered personally identifiable information under COPA (the Children’s Online Privacy Protection Act).   It is the unique identifier found in all internet-enabled communications devices, including Android- and iOS-powered devices.   MAC addresses can be used to target advertising to specific users or track and build dossiers of individuals.

Advertisement. Scroll to continue reading.

TikTok responded to the WSJ’s findings by saying “the current version of TikTok does not collect MAC addresses” but the investigation found that the company had been harvesting that data for many months.

Apple’s iOS blocks third parties from reading MAC addresses as part of a privacy feature added in 2013, but on Android, the exploitable loophole remains.

From the WSJ report:

“TikTok bypassed that restriction on Android by using a workaround that allows apps to get MAC addresses through a more circuitous route, the Journal’s testing showed.

The security hole is widely known, if seldom used, Mr. Reardon said. He filed a formal bug report about the issue with Google last June after discovering the latest version of Android still didn’t close the loophole. “I was shocked that it was still exploitable,” he said.

Mr. Reardon’s report was about the loophole in general, not specific to TikTok. He said that when he filed his bug report, the company told him it already had a similar report on file. Google declined to comment.

TikTok collected MAC addresses for at least 15 months, ending with an update released Nov. 18 of last year, as ByteDance was falling under intense scrutiny in Washington, the Journal’s testing showed.

TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device. That bundle also included the device’s advertising ID, a 32-digit number intended to allow advertisers to track consumer behavior while giving the user some measure of anonymity and control over their information.”

Although the investigation found that TikTok did not collect an unusual amount of data and typically was upfront about what was being captured, the Journal found that the parent company ByteDance took major steps to use extraneous steps” to “conceal the data it captures.”  

The Wall Street Journal said it examined nine versions of TikTok released on the Google Play Store between April 2018 and January 2020.  The analysis was limited to examining what TikTok collects when freshly installed on a user’s device, before the user creates an account and accepts the app’s terms of service.

Google said it is investigating the new discovery.

Related: TikTok Launches Public Bug Bounty Program

Related: TikTok, WeChat Bans Not Crucial to US Security: Experts

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...