TikTok has been stealing MAC addresses from Android devices for over 18 months, violating its own policies as well as Google Play Store’s rules, the Wall Street Journal reported on Tuesday. MAC addresses are unique identifiers for each device, which makes them valuable for both tracking purposes and advertisers.
TikTok has been collecting data from millions of people without them opting in for it or even being aware of it. Both the iOS App Store and Google Play Store banned the collection of MAC addresses in 2015, but TikTok was able to find a loophole for it.
The Chinese app was adding a layer of encryption to conceal its practices and only stopped last year in November following mounting political pressure from Washington. The study from WSJ found that nearly 350 other Android apps were exploiting the same loophole primarily for targeted ads.
Google has declined to comment on how TikTok was able to bypass its security measures and steal data right under its nose for so long. On the other hand, there have been no such reports on iOS. This is mainly because iOS 14 randomizes MAC addresses for every device making them harder to track and ensuring better security from malicious attacks.
TikTok has said that the current version of their app does not collect any MAC addresses from any of its users and added that they are “committed to protecting the privacy and safety of the TikTok community”. Evidence stands contrary to their statements.
The news comes at a bad time for TikTok as the app is under heavy scrutiny for accusations around stealing user data. President Donald Trump has threatened to ban the app in the region if it doesn’t hand the reigns to a US company by next month. Microsoft is currently in talks with the company for acquisition, Twitter has also shown interest, but it is unclear how far the deals have progressed.