WSJ: TikTok used a loophole to track MAC addresses on Android

The future of TikTok is still up in the air as it’s treated as an acquisition target and security risk all at once, and now the Wall Street Journal is reporting a detail on the kind of information it had been tracking about users. Their analysis of its Android app dug into several versions from 2018 through 2020, and said it “wasn’t collecting an unusual amount of information for a mobile app.”

However the outlier is that until late last year, TikTok used a known security flaw to get around Android protections that stop apps from tracking users via the MAC address of their device. That code identifies a device on a network and is usually not changed, so someone could track installations across different accounts that occur on the same device to link a person’s ID to a particular piece of hardware.

As the WSJ explains, Google presents an anonymized advertising ID that users can easily reset, as opposed to the MAC address that doesn’t have the same opt-out capabilities. There are other techniques used for this “ID bridging” that don’t involve the MAC address, and according to their investigation, TikTok removed its tracking with an update on November 18th of last year. In a statement, the company said “the current version of TikTok does not collect MAC addresses.”

Tying user identities to hardware in a way that’s tough to change — particularly without notifying them of it — is troubling, and mobile platforms aren’t the only place where it’s popped up. Last year researchers detailed how makers of TV apps on Fire TV and Roku were bypassing advertiser IDs to collect the MAC addresses on devices, and Roku updated its software shortly after to take away that capability.