How To Spy Using Mac Address

The ongoing controversies surrounding TikTok hitting a new gear on Thursday with a bombshell written report accusing the Chinese company of spying on millions of Android users using a technique banned by Google.

According to a Wall Street Journal report, TikTok used a banned tactic to bypass the privacy safeguard in Android to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out.

TikTok, based in Beijing, Mainland china, has been described as a national security threat in the U.Southward., and has been in the headline over concerns that data collected by the TikTok app could be used to aid government spying activities.

[ ALSO READ: Usa Insists on Need to Ban TikTok ]

The Wall Street Journal said TikTok was exploiting a loophole to collect MAC addresses for at least fifteen months. The practice stopped in November 2020.

MAC addresses are considered personally identifiable information nether COPA (the Children's Online Privacy Protection Act). It is the unique identifier establish in all internet-enabled communications devices, including Android- and iOS-powered devices. MAC addresses can be used to target advertizement to specific users or rail and build dossiers of individuals.

TikTok responded to the WSJ's findings by saying "the electric current version of TikTok does not collect MAC addresses" but the investigation found that the company had been harvesting that information for many months.

Apple's iOS blocks third parties from reading MAC addresses equally function of a privacy feature added in 2013, merely on Android, the exploitable loophole remains.

From the WSJ report:

"TikTok bypassed that restriction on Android by using a workaround that allows apps to go MAC addresses through a more circuitous route, the Journal's testing showed.

The security pigsty is widely known, if seldom used, Mr. Reardon said. He filed a formal bug report most the issue with Google terminal June after discovering the latest version of Android withal didn't close the loophole. "I was shocked that it was still exploitable," he said.

Mr. Reardon's report was about the loophole in general, not specific to TikTok. He said that when he filed his issues written report, the visitor told him it already had a similar report on file. Google declined to comment.

TikTok collected MAC addresses for at least 15 months, catastrophe with an update released November. 18 of final year, as ByteDance was falling nether intense scrutiny in Washington, the Journal'due south testing showed.

TikTok bundled the MAC address with other device data and sent information technology to ByteDance when the app was first installed and opened on a new device. That bundle besides included the device's advertising ID, a 32-digit number intended to allow advertisers to track consumer beliefs while giving the user some measure of anonymity and control over their information."

Although the investigation institute that TikTok did non collect an unusual corporeality of information and typically was upfront nigh what was being captured, the Journal plant that the parent visitor ByteDance took major steps to use extraneous steps" to "conceal the data information technology captures."

The Wall Street Journal said information technology examined 9 versions of TikTok released on the Google Play Store between April 2018 and January 2020. The analysis was express to examining what TikTok collects when freshly installed on a user's device, before the user creates an account and accepts the app's terms of service.

Google said it is investigating the new discovery.

Related: TikTok Launches Public Bug Bounty Plan

Related: TikTok, WeChat Bans Not Crucial to United states of america Security: Experts

Previous Columns by SecurityWeek News: