The TikTok Android application has been found to exploit the Play Store services in order to bundle personalized advertising without the users consent. This practice is officially banned by Google for all applications uploaded on their repository.
TikTok Collects Private Data Despite Official Google Ban: Delivers Personalized Advertising To Users
The popular TikTok mobile application has been found breaking Google’s rules on data collection. It appears that the company was able to find a loophole allowing the application to collect the network MAC IDs of the devices. They correspond to each unique network interface (mobile data modem) and can serve as a way to track the users.
The application was known for collecting this value for in 2018 and 2019 and then allegedly stopped this practice following the rules set up by Google. The platform regulations of the Google Play Store banned this back in 2015 following Apple which prohibited apps from accessing the device IDs in 2013.
Apparently TikTok was able to find a loophole in the Play Services in order to continue this practice. News reports indicate that this is possible even newer versions of the Google services, indicating that the security weakness remains unpatched. An investigation has found that during network traffic correspondence the Android mobile application sends out MAC IDs alongside with other data when it is initially installed and opened on a given device.
In this network stream there is an an evident 32-digit advertising ID which allows advertisers to easily track the behavior of the consumers. Resetting of this digit is possible, but this will merely clear the current state and will start collecting data once again. When the MAC ID from the network interface is combined with this advertising ID TikTok can gain a lot more information about the users. A process called ID bridging can allow TikTok to connect to older (inactive) advertising IDs which can include other information which was collected in the past.
This loophole is also used by other applications, notably free games that include micro transactions and advertising in order to monetize the contents. TikTok has stated that they have updated their application and this practice is no longer used by them.
Additional read: TikTok was recently targeted in a phishing scam.