TikTok surreptitiously collected information from users’ Android smartphones without their consent, an apparent violation of Google’s app store policies, The Wall Street Journal reported Tuesday.
The app logged users’ MAC addresses — unique digital identifiers attached to all smartphones that cannot be reset — allowing TikTok parent company ByteDance to track people even if they changed their privacy settings to opt out of certain ad-tracking practices, The Wall Street Journal found.
TikTok installs from the Google Play store in the US currently total around 89 million, according to app analytics firm Sensor Tower.
The Journal’s analysis, which was based on a past version of TikTok, found that the app collected MAC addresses for at least 15 months, but ended the practice with an update to the app last November.
“We are committed to protecting the privacy and safety of the TikTok community. We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses,” a TikTok spokesperson told Business Insider. “We always encourage our users to download the most current version of TikTok.”
Google banned app developers from collecting users’ MAC addresses in 2015, while Apple did the same two years earlier. But smartphone security experts told The Wall Street Journal that TikTok circumvented the policy by exploiting a bug and hid its tracks with an atypical extra layer of encryption.
“We’re investigating these claims,” a Google spokesperson told Business Insider, while declining to comment specifically on the bug that TikTok reportedly exploited.