The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies
TikTok skirted a privacy safeguard in Google’s Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found.
The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn’t disclosed to TikTok users. TikTok ended the practice in November, the Journal’s testing showed.
The findings come at a time when TikTok’s Beijing-based parent company, ByteDance Ltd., is under pressure from the White House over concerns that data collected by the app could be used to help the Chinese government track U.S. government employees or contractors. TikTok has said it doesn’t share data with the Chinese government and wouldn’t do so if asked.
The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users’ data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage.
TikTok, which said earlier this year that its app collects less personal data than U.S. companies such as Facebook Inc. and Alphabet Inc.’s GOOG -1.05% Google, didn’t respond to detailed questions. In a statement, a spokesperson said the company is “committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges.”
The company said “the current version of TikTok does not collect MAC addresses.”
Most major mobile apps collect a range of data on users, practices that privacy advocates have long found alarming but that tech companies defend as providing highly customized experiences and targeted advertising. Data collection varies by company.
About 1% of Android apps collect MAC addresses, according to a 2018 study by AppCensus, a mobile-app analysis firm that consults with companies on their privacy practices.
A Google spokesperson said the company was investigating the Journal’s findings and declined to comment on the loophole allowing some apps to collect MAC addresses.
The Trump administration’s national-security concerns prompted ByteDance to explore a sale of TikTok’s U.S. operations with several suitors, including Microsoft Corp. When asked if the company was aware of this data-collection issue, a Microsoft spokesman declined to comment.
The issue involves a 12-digit “media access control,” or MAC, address, which is a unique number found in all internet-ready electronics, including mobile devices.
The MAC address is useful to advertising-driven apps because it can’t be reset or altered, allowing app makers and third-party analytics firms to build profiles of consumer behavior that persist through any privacy measure short of the owner getting a new phone. The Federal Trade Commission has said MAC addresses are considered personally identifiable information under the Children’s Online Privacy Protection Act.
“It’s a way of enabling long-term tracking of users without any ability to opt-out,” said Joel Reardon, an assistant professor at the University of Calgary and co-founder of AppCensus, Inc. “I don’t see another reason to collect it.”
Apple Inc. locked down iPhone MAC addresses in 2013, preventing third-party apps from reading the identifier. Google did the same two years later in Android. TikTok bypassed that restriction on Android by using a workaround that allows apps to get MAC addresses through a more circuitous route, the Journal’s testing showed.
The security hole is widely known, if seldom used, Mr. Reardon said. He filed a formal bug report about the issue with Google last June after discovering the latest version of Android still didn’t close the loophole. “I was shocked that it was still exploitable,” he said.
Mr. Reardon’s report was about the loophole in general, not specific to TikTok. He said that when he filed his bug report, the company told him it already had a similar report on file. Google declined to comment.
TikTok collected MAC addresses for at least 15 months, ending with an update released Nov. 18 of last year, as ByteDance was falling under intense scrutiny in Washington, the Journal’s testing showed.
TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device. That bundle also included the device’s advertising ID, a 32-digit number intended to allow advertisers to track consumer behavior while giving the user some measure of anonymity and control over their information.
Privacy-conscious users can reset the advertising ID from the settings menu of the device, an action roughly equivalent to clearing cookies in a browser.
Google’s Play Store policies warn developers that the “advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier,” including the MAC address, “without explicit consent of the user.”
Storing the unchangeable MAC address would allow ByteDance to connect the old advertising ID to the new one—a tactic known as “ID bridging”—that is prohibited on Google’s Play Store. “If you uninstall TikTok, reset the ad ID, reinstall TikTok and create a new account, that MAC address will be the same,” said Mr. Reardon. “Your ability to start with a clean slate is lost.”
Despite the prohibition, ID bridging is fairly widespread, according to AppCensus, particularly among free gaming apps. But it seldom involves the MAC address, the most persistent identifier accessible in the current version of Android.
In a random study by AppCensus of 25,152 popular internet-enabled Android apps in 2018, only 347, or 1.4%, were seen using the Android loophole to send the MAC address. Of those, only 90 were also transmitting the built-in Android ID, which changes if the device is reset.
The Journal’s analysis confirmed some of the behavior detailed in a widely-discussed anonymous Reddit post in April charging that TikTok transmitted a range of personal data to ByteDance servers, including the MAC address. Google said it’s investigating the claims in that post.
The Journal examined nine versions of TikTok released on the Play Store between April 2018 and January 2020. The Journal’s analysis was limited to examining what TikTok collects when freshly installed on a user’s device, before the user creates an account and accepts the app’s terms of service.
SHARE YOUR THOUGHTS
How worried are you about TikTok accessing your personal data? Join the conversation below.
Less typical are the measures ByteDance takes to conceal the data it captures. TikTok wraps most of the user data it transmits in an extra layer of custom encryption.
As with virtually all modern apps, TikTok’s Internet traffic is protected by the web’s standard encryption protocols, making it unlikely that an eavesdropper can steal information in transit. That makes the additional, custom encryption code TikTok applies to user data seemingly extraneous—unless it was added to prevent the device owner from seeing what TikTok was up to, said Nathan Good, a researcher at the International Digital Accountability Council, a watchdog group that analyzes app behavior.
“It doesn’t provide any extra level of Internet security,” agreed Mr. Reardon. “But it does mean that we have no transparency into what’s being sent out.”
It is common for mobile apps to hide parts of their software to prevent them from being copied by competitors, but TikTok’s encryption doesn’t appear to be hiding a proprietary secret, said Marc Rogers, vice president of cybersecurity strategy at Okta, Inc., which provides services that help users securely log in online.
“My guess is that the reason they do that is to bypass detection by Apple or Google because if Apple or Google saw them passing those identifiers back they would almost certainly reject the app,” Mr. Rogers said.
Google should remove TikTok from its platform, said Sen. Josh Hawley (R., Mo.), in a statement to the Journal, when apprised of the findings. Sen. Hawley has been critical of TikTok and a hawk toward China generally.
“Google needs to mind its store, and TikTok shouldn’t be on it,” he said. “If Google is telling users they won’t be tracked without their consent and knowingly allows apps like TikTok to break its rules by collecting persistent identifiers, potentially in violation of our children’s privacy laws, they’ve got some explaining to do.”