The Chinese-owned video-sharing app TikTok avoided a privacy safeguard implemented on Google’s Android operating system in order to collect the online information of potentially millions of users, according to a Wall Street Journal analysis published Tuesday.
Mobile-phone security experts told the Wall Street Journal that TikTok used extra encryption to hide code that circumvented Google’s limits on how apps track user data. TikTok did not disclose their data collection methods to app users and reportedly continued the practice until November of 2019.
The Journal report comes amid executive action that President Donald Trump recently announced that would force TikTok’s Chinese owners to sell the app or be banned from the U.S.
The Journal report specifically indicates TikTok gathered the media access control (MAC) addresses of its Android app users. The addresses are mostly used to gather advertising data. Only around 1 percent of Android apps gather MAC addresses, according to a 2018 study by AppCensus, a mobile-app analysis firm.
Google blocked app developers from accessing MAC address information in 2015, but AppCensus co-founder Joel Reardon said TikTok used a widely-known but still seldom-used workaround to obtain MAC information through.
Reardon said he had filed a report with Google in June of 2019 raising concerns about the exploit. “I was shocked that it was still exploitable,” he told the Journal.
The Federal Trade Commission considers MAC addresses to be personally identifiable information, as defined under the Children’s Online Privacy Protection Act.
“It’s a way of enabling long-term tracking of users without any ability to opt-out,” Reardon told the Journal. “I don’t see another reason to collect it.”
Google told the Journal it is looking into the allegations surrounding the news publication’s findings but declined to comment further on the matter.
App developers will reportedly regularly encrypt some of their app software to protect other developers from copying their code. TikTok did use encryption methods to hide parts of its software but Marc Rogers, vice president of cybersecurity strategy at Okta, Inc. said he did not believe TikTok was concealing any proprietary information.
“My guess is that the reason they do that is to bypass detection by Apple or Google because if Apple or Google saw them passing those identifiers back they would almost certainly reject the app,” Rogers told the Journal.
TikTok reportedly collected MAC Address data for around 15 months but stopped in November of 2019. TikTok discontinued the practice around the same time the U.S. government opened a national security review of Musical.ly, the American company that was bought by Chinese-TikTok parent company ByteDance.
Sen. Josh Hawley (R – MO), a frequent China critic, told the Journal that Google needs to do more to protect its users from exploits like the ones TikTok reportedly used.
“Google needs to mind its store, and TikTok shouldn’t be on it,” Hawley said. “If Google is telling users they won’t be tracked without their consent and knowingly allows apps like TikTok to break its rules by collecting persistent identifiers, potentially in violation of our children’s privacy laws, they’ve got some explaining to do.”
China has decried the Trump administration’s recent moves to stop TikTok and an editorial article by the Chinese Communist Party (CCP)-operated China Daily described the Trump move to force TikTok’s owners to either sell the app or see it banned in the U.S. as “bullying” and a “smash and grab.”
TikTok is also reportedly considering filing a lawsuit to fight Trump’s potential U.S. ban. The company will likely argue that Trump’s order is unconstitutional and failed to provide the app company with a sufficient chance to appeal the ban.