TikTok Caught Exploiting Google Security Vulnerability To Track Millions Of Android Users

tiktok phone grass

The Chinese-owned social networking application TikTok has been the center of attention the last several weeks as President Trump has moved to ban the app and force the company to divest its United States operations. Many people sided with TikTok and were upset at President Trump for trying to take action against the social networking app. Now, however, TikTok has been busted for collecting identifiable user data from millions of Android users in direct violation of Google policies.

A Wall Street Journal report found that the application was collecting unique identifiers from millions of mobile devices that allow it to track users online without giving users the ability to opt-out. Mobile security experts say that the app concealed its tracking activity using "an unusual" added layer of encryption. The app for a long tie was collecting the MAC address of Android devices, but stopped collecting the data in November 2019.

When President Trump started talking about banning TikTok in the United States, he and his administration were worried that the application collected data on Americans that could potentially be used for blackmail or espionage. Google is investigating the findings and offered no comment on the method TikTok used to collect the information. TikTok says the current version of its app doesn't collect MAC addresses.

Mobile security firm AppCensus co-founder Joel Reardon said tracking the MAC address is a method for long-term tracking of users without giving them the ability to opt-out. The MAC address doesn't change unless the user buys a new device. Reardon noted that he sees no reason to collect MAC addresses other than user tracking.

The security vulnerability leveraged to collect MAC addresses was known to Google since last June and remains unpatched. The WSJ report claims that TikTok captured the information for at least 15 months and only ended the collection as it fell under increasing scrutiny from Washington.

The latest discovery isn't the first time TikTok was caught being shady. In June of this year, the app was reverse engineered and was described as a "data collection service" by the researcher behind the investigation. Both Microsoft and Twitter are reportedly in talks to purchase the U.S. operations of TikTok, but it's unclear if either will ultimately close a deal.