The ongoing controversies surrounding TikTok hit a new gear on 14 January 2021 with a bombshell report accusing the Chinese company of spying on millions of Android users using a technique banned by Google. According to a Wall Street Journal report, TikTok used a banned tactic to bypass the privacy safeguard in Android to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out.
TikTok, based in Beijing, China, has been described as a national security threat in the US, and has been in the headline over concerns that data collected by the TikTok app could be used to aid government spying activities. The Wall Street Journal said TikTok was exploiting a loophole to collect MAC addresses for at least 15 months. The practice stopped in November 2020. MAC addresses are considered personally identifiable information under COPA (the Children’s Online Privacy Protection Act). It is the unique identifier found in all internet-enabled communications devices, including Android and iOS powered devices. MAC addresses can be used to target advertising to specific users or track and build dossiers of individuals.
TikTok responded to the WSJ’s findings by saying “the current version of TikTok does not collect MAC addresses” but the investigation found that the company had been harvesting that data for many months. Apple’s iOS blocks third parties from reading MAC addresses as part of a privacy feature added in 2013, but on Android, the exploitable loophole remains.
From the WSJ report: “TikTok bypassed that restriction on Android by using a workaround that allows apps to get MAC addresses through a more circuitous route, the Journal’s testing showed. The security hole is widely known, if seldom used, WSJ said. The media outlet filed a formal bug report about the issue with Google last June after discovering the latest version of Android still didn’t close the loophole. The WSJ’s report was about the loophole in general, not specific to TikTok. When they filed the bug report, the company told him it already had a similar report on file. Google declined to comment.
TikTok collected MAC addresses for at least 15 months, ending with an update released on 18 November of last year, as ByteDance was falling under intense scrutiny in Washington, the Journal’s testing showed.
TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device. That bundle also included the device’s advertising ID, a 32-digit number intended to allow advertisers to track consumer behavior while giving the user some measure of anonymity and control over their information. Although the investigation found that TikTok did not collect an unusual amount of data and typically was upfront about what was being captured, the WSJ found that the parent company ByteDance took major steps to use extraneous steps” to “conceal the data it captures.
The Wall Street Journal said it examined nine versions of TikTok released on the Google Play Store between April 2018 and January 2020. The analysis was limited to examining what TikTok collects when freshly installed on a user’s device before the user creates an account and accepts the app’s terms of service. Google said it is investigating the new discovery.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941