Chinese social media app TikTok reportedly exploited Android’s loophole to collect users’ data by violating Google’s privacy policies, according to a new Wall Street Journal report.
The TikTok Android app was collecting media access control (MAC) addresses of Android devices until November 2019. MAC addresses are a “unique identifier” assigned for every user, which is mainly used for target advertising.
In 2015, Google as a policy had restricted Android apps downloaded from the Play Store from connecting “personally-identifiable information or associated with any persistent device identifier,” which includes MAC addresses and (International Mobile Equipment Identity) numbers.
However, TikTok leveraged a workaround wherein the app used to automatically send the MAC address along with the device identifier to its Chinese parent company ByteDance servers when the first time users opened the app before they could provide any consent.
According to WSJ, TikTok kept track of users’ MAC addresses for at least 15 months until an update released on November 18 last year. By this time, the short-video app had collected data from millions of mobiles without giving users the option to opt-out.
Not only TikTok, at least 350 other Android apps too managed to take advantage of a similar loophole on the Google Play Store, claimed WSJ citing a study.
Commenting on the practice, TikTok told The Verge that it had discontinued doing it. “We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We always encourage our users to download the most current version of TikTok,” a representative said. The company added that “the current version of TikTok does not collect MAC addresses.”
On the other hand, Google has not commented on the loophole but said that it was investigating the finding.
In June this year, TikTok was caught snooping on the clipboard of iPhone users after it got exposed by iOS 14 privacy feature. Also, TikTok was among the 59 Chinese apps that were banned by the Indian Government in June.