TikTok secretly tracked millions of Android users — what you need to know

The TikTok logo displayed on a smartphone screen with a computer keyboard in the background.
(Image credit: Primakov/Shutterstock)

The TikTok Android app secretly stole an important ID number from millions of users' phones and smuggled it past Google's watchdogs by wrapping the ID number in an unusual layer of encryption, The Wall Street Journal reported yesterday (Aug. 11).

The ID number, known as a MAC address, is a unique 12-digit hexadecimal (numerical base 16) code. Every device in the world that uses Wi-Fi, Ethernet or Bluetooth, from supercomputers to to smartphones to smartwatches, has at least one MAC address. 

Because MAC addresses can't be changed, they can be used to identify individual devices permanently. 

Google blocks Android apps from reading devices' MAC addresses and forbids their collection, but TikTok apparently used a known workaround to do so anyway. It then transmitted the MAC addresses to servers belonging to TikTok parent company ByteDance, The Journal said, using an extra measure of encryption in a possible attempt to conceal the practice from Google.

"It's a way of enabling long-term tracking of users without any ability to opt out," mobile-app expert Joel Reardon told The Journal. "I don't see another reason to collect it."

Citing fears that the Chinese government might be using TikTok to spy on Americans, U.S. President Donald Trump earlier this month threatened to ban TikTok from the U.S. market unless the company was sold to an American firm by mid-September. Microsoft is said to be interested purchasing TikTok from ByteDance.

In a statement to TechCrunch, TikTok said: "We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any TikTok user data to the Chinese government nor would we do so if asked."

Super-tracking

Google and Apple permit apps to track smartphones using advertising IDs, but those advertising IDs periodically change and users can opt out of having them assigned. Users can also manually reset advertising IDs. 

Experts who spoke to the Journal suspect that TikTok used the MAC addresses to "bridge" advertising IDs, linking expiring IDs to newly issued ones in order to better track individual devices.

To use an automotive metaphor, an advertising ID is like a car's license plate. A MAC address is like the Vehicle Identification Number stamped underneath the windshield.

TikTok stopped collecting MAC addresses after an app update in November 2019, according to The Journal's tests. Google told The Journal that it was looking into the matter. 

The Journal, which examined nine different version updates of the TikTok Android app, said the MAC-address collection had been happening since at least April 2018. It's not clear whether anything similar occurred on iPhones.

TikTok was not the only app collecting MAC addresses, The Journal said. It cited a study by Reardon's company, AppSense, that estimated that about 1% of Android apps did so in 2018. The Journal added that other than the MAC addresses, TikTok did not collect an unusual amount of user data.

But TikTok's concealing of the MAC-address data in an extra layer of encryption was indeed unusual, cybersecurity expert Marc Rogers told The Journal, especially since all data going back and forth between ByteDance servers and TikTok users was already encrypted by normal methods.

"My guess is that the reason they do that is to bypass detection by Apple or Google," Rogers told The Journal. "If Apple or Google saw them passing those identifiers back they would almost certainly reject the app."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.