TikTok exploited Android security vulnerability to grab MAC addresses, maybe for ad tracking, no way to opt out — stopped in November, WSJ reports

"The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies"

The Wall Street Journal reports Tuesday that TikTok exploited an Android vulnerability to obtain user MAC addresses, possibly for ad tracking, with no ability to opt out.

They stopped the practice in November, 2019, WSJ reports:

The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn't disclosed to TikTok users. TikTok ended the practice in November, the Journal's testing showed.

The findings come at a time when TikTok's Beijing-based parent company, ByteDance Ltd., is under pressure from the White House over concerns that data collected by the app could be used to help the Chinese government track U.S. government employees or contractors. TikTok has said it doesn't share data with the Chinese government and wouldn't do so if asked.

The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users' data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage.

Read more at the WSJ:
TikTok Tracked User Data Using Tactic Banned by Google

'Untrusted' Chinese apps like TikTok and WeChat must be banned from U.S. app stores, says Pompeo promoting 'Clean Network'