TikTok reportedly found a loophole in Google’s Android OS that allowed the app to collect data from millions of mobile devices and track users online without consent.
Hidden beneath an “unusual” layer of added encryption, the tactic, according to The Wall Street Journal, granted access to media access control (MAC) addresses—unique identifiers often used in digital advertising. Unchanging and inalterable, MAC addresses make it easy for firms to build consumer profiles that folks can’t easily opt out of.
TikTok, which recently claimed it collects less personal data than Facebook or Google, allegedly stockpiled MAC addresses for at least 15 months, ending in November 2019, when parent company ByteDance Ltd. came under scrutiny by the US government. Each time the social network was installed and opened on a new device, advertising identifiers (including MAC addresses) were bundled with other device data and sent to Beijing-based ByteDance.
“Like our peers, we constantly update our app to keep up with evolving security challenges,” a company spokesperson told WSJ, assuring users that “the current version of TikTok does not collect MAC addresses.” Google, meanwhile, is investigating these findings. Neither firm immediately responded to PCMag’s request for comment.
The widely-known-but-seldom-used Android security hole was previously documented by AppCensus co-founder Joel Reardon, who told the Journal he was “shocked that it was still exploitable.”
Tuesday’s report all but rubs salt in TikTok’s wounds: The privacy news comes just days after Donald Trump signed an executive order prohibiting US organizations from doing business with Chinese parent companies—including ByteDance Ltd. The decree goes into effect on Sept. 20, leaving Microsoft a shrinking window to acquire the video-sharing app without facing penalties.