The TikTok Android app secretly stole a key ID number from millions of phones from millions of users and smuggled it past Google’s watchdogs by wrapping the ID number in an unusual layer of encryption, The Wall Street Journal reported yesterday (August 11).
The ID number, known as MAC address, is a unique code with 12 digits hexadecimal (numeric base 16). Every device in the world that uses Wi-Fi, Ethernet or Bluetooth, from supercomputers to smartphones to smartwatches, has at least one MAC address.
Because MAC addresses cannot be changed, they can be used to permanently identify individual devices.
Google blocks Android apps from reading MAC addresses of devices and bans their collection, but TikTok apparently used a known solution to do so. It then sent the MAC addresses to servers belonging to TikTok parent company ByteDance, said The Journal, with an additional measure of encryption in a possible attempt to hide Google’s practice.
“It’s a way to enable long-term tracking of users without any ability to take off,” mobile app expert Joel Reardon told The Journal. “I see no other reason to collect it.”
Citing fears that the Chinese government might use TikTok to spy on Americans, US President Donald Trump threatened to ban TikTok from the US market earlier this month, unless the company was sold to a US company in mid-September. Microsoft is said to be interested in buying TikTok from ByteDance.
In a statement to TechCrunch, TikTok said: “We are constantly updating our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never provided TikTok user data to the Chinese government, nor would we we do that as requested. “
Super-tracking
Google and Apple allow apps to track smartphones with ad IDs, but those ad IDs change periodically and users can choose not to be assigned them. Users can also manually reset ad IDs.
Experts who spoke to the Journal believe that TikTok used the MAC addresses to “transmit” ad IDs, and linked link IDs to newly issued ones to better track individual devices.
To use a metaphor for cars, an ad ID is like a license plate of a car. A MAC address is stamped under the windshield like the Vehicle Identification Number.
TikTok stopped collecting MAC addresses after an app update in November 2019, according to tests by The Journal. Google told The Journal that it was investigating the matter.
The Journal, which examined nine different update updates of the TikTok Android app, said that the collection of MAC addresses has been happening since at least April 2018. It is not clear if anything similar happened on iPhones.
TikTok was not the only app that collects MAC addresses, the Journal said. It cited a study by Reardon’s company, AppSense, that estimated that about 1% of Android apps did so in 2018. The Journal added that unlike the MAC addresses, TikTok does not collect an unusual amount of user data.
But hiding TikTok from the MAC address data in an extra layer of encryption was indeed unusual, cybersecurity expert Marc Rogers told The Journal, mainly because all the data had passed between and through the ByteDance servers and TikTok users already encrypted using normal methods.
“My judgment is that the reason they are doing this is to prevent detection by Apple or Google,” Rogers told The Journal. “If Apple or Google saw that they were passing on these identifiers, they would almost certainly reject the app.”
