Security Experts:

Report: TikTok Harvested MAC Addresses By Exploiting Android Loophole

The ongoing controversies surrounding TikTok hit a new gear on Thursday with a bombshell report accusing the Chinese company of spying on millions of Android users using a technique banned by Google.

According to a Wall Street Journal report, TikTok used a banned tactic to bypass the privacy safeguard in Android to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out.


TikTok, based in Beijing, China, has been described as a national security threat in the U.S., and has been in the headline over concerns that data collected by the TikTok app could be used to aid government spying activities.

[ ALSO READ: US Insists on Need to Ban TikTok ]

The Wall Street Journal said TikTok was exploiting a loophole to collect MAC addresses for at least 15 months.   The practice stopped in November 2020. 

MAC addresses are considered personally identifiable information under COPA (the Children’s Online Privacy Protection Act).   It is the unique identifier found in all internet-enabled communications devices, including Android- and iOS-powered devices.   MAC addresses can be used to target advertising to specific users or track and build dossiers of individuals.


TikTok responded to the WSJ’s findings by saying “the current version of TikTok does not collect MAC addresses” but the investigation found that the company had been harvesting that data for many months.


Apple’s iOS blocks third parties from reading MAC addresses as part of a privacy feature added in 2013, but on Android, the exploitable loophole remains.

From the WSJ report:

“TikTok bypassed that restriction on Android by using a workaround that allows apps to get MAC addresses through a more circuitous route, the Journal’s testing showed.


The security hole is widely known, if seldom used, Mr. Reardon said. He filed a formal bug report about the issue with Google last June after discovering the latest version of Android still didn’t close the loophole. “I was shocked that it was still exploitable,” he said.


Mr. Reardon’s report was about the loophole in general, not specific to TikTok. He said that when he filed his bug report, the company told him it already had a similar report on file. Google declined to comment.


TikTok collected MAC addresses for at least 15 months, ending with an update released Nov. 18 of last year, as ByteDance was falling under intense scrutiny in Washington, the Journal’s testing showed.


TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device. That bundle also included the device’s advertising ID, a 32-digit number intended to allow advertisers to track consumer behavior while giving the user some measure of anonymity and control over their information.”

Although the investigation found that TikTok did not collect an unusual amount of data and typically was upfront about what was being captured, the Journal found that the parent company ByteDance took major steps to use extraneous steps” to “conceal the data it captures.”  

The Wall Street Journal said it examined nine versions of TikTok released on the Google Play Store between April 2018 and January 2020.  The analysis was limited to examining what TikTok collects when freshly installed on a user’s device, before the user creates an account and accepts the app’s terms of service.

Google said it is investigating the new discovery.

Related: TikTok Launches Public Bug Bounty Program

Related: TikTok, WeChat Bans Not Crucial to US Security: Experts

view counter