Wall Street Journal has researched several versions of Tiktok’s Android app released between 2018 and 2020 to see what kinds of information about the users it uploads to the company’s servers.
The results are generally that the app behaves much like most apps, with one exception. Until an update in November 2019, Tiktok tracked Android users via the phones’ mac address, a fixed hardware address that identifies individual network cards.
These addresses rarely or never change and are thus a way for developers to circumvent tracking restrictions to permanently track users. Google does not allow apps to read the mac address, but the Tiktok app exploited a known security flaw to collect it anyway.
The company tells the Wall Street Journal that the current version of Tiktok does not collect mac addresses, but does not comment on how the app used to do so.
When iOS and Android were new, developers had access to both unique hardware IDs and mac addresses, but as the market developed, Apple and Google began to remove these and replace them with unique ID numbers that can be reset and have no connection to the hardware itself.