Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Android Google Software Technology

TikTok Tracked User Data Using Tactic Banned By Google (marketwatch.com) 46

An anonymous reader quotes a report from MarketWatch: TikTok skirted a privacy safeguard in Google's Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found. The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn't disclosed to TikTok users. TikTok ended the practice in November, the Journal's testing showed.

The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users' data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage. In a statement, a spokesperson said the company is "committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges." The company said "the current version of TikTok does not collect MAC addresses."

This discussion has been archived. No new comments can be posted.

TikTok Tracked User Data Using Tactic Banned By Google

Comments Filter:
  • by Anonymouse Cowtard ( 6211666 ) on Tuesday August 11, 2020 @07:09PM (#60391763) Homepage

    They don't do it anymore, so there's no problem. CPP are benevolent cultural leaders. Move along.

    _________________________

    Sent from my Huawei

    • by fermion ( 181285 )
      Because Google probably does. When Google bans something, it means they want it exclusively for their use
      • Google doesn't need to know your MAC to do what they want to do, which is find out where you are. They only need to know what MACs you can see, especially of APs whose names are more likely to change than their MACs. If you're logging in, what value does your MAC have?

        • by fermion ( 181285 )
          Because it is a constant. Most people donâ(TM)t change their Id. It is the one sure way to track a user.
          • *Google* changes your WiFi MAC, under Android 10.

            They just don't need to snoop like that when people are logging in, and telling Google who they are. No need to guess.

  • by Ksevio ( 865461 ) on Tuesday August 11, 2020 @07:15PM (#60391779) Homepage

    I'm not an Android developer, but I did a quick Google search and it looks like it's pretty commonly done, though extra permissions are needed.

  • Re: (Score:2, Interesting)

    Comment removed based on user account deletion
    • That said, the claimed reasons for the concern may have some validity to them. The American government has an interest in a monopoly on intelligence about its citizens.

      They can't do that to our citizens! Only we can do that to our citizens! [youtube.com]

    • by raymorris ( 2726007 ) on Tuesday August 11, 2020 @09:09PM (#60392127) Journal

      That statement gets four Pinocchios. Totally false.

      The most recent national security review of Tik Tok was widely published in 2019:
      https://www.nytimes.com/2019/1... [nytimes.com]

      Senatorss Chuck Schumer (a leading Democrat) and Tom Cotton (R, Arkansas) requested the administration conduct the prove after Bytedance violated the terms of the original acquisition.

      When Bytedance first tried to buy Musical.ly (US Tik Tok), Bytedance promised regulators that they would keep the US app separate and not merge it with the Chinese app, Tik Tok, which is heavily influenced by the Chinese government. Violating that is why the the head DEMOCRAT in the Senate asked the administration to conduct this national security review.

      I don't know if you made up that lie, or repeated it after hearing it elsewhere. If you heard it elsewhere, somebody has been blatantly lying to you, taking you for a fool.

      • Comment removed based on user account deletion
        • Just his cabinet lol (Score:5, Informative)

          by raymorris ( 2726007 ) on Wednesday August 12, 2020 @12:06AM (#60392485) Journal

          I don't know if you're aware, but Steven Mnuchin, who led the probe into Tik Tok and Bytedance, is a member of Trump's cabinet. He's the guy mentioned in the article.
            He's the same guy who has been in the news this week announcing the president's executive orders regarding covid relief, and is the president's chief negotiator with the Dems for the covid bills.

          This government also fined Bytedance over data collection violations in February 2018 - more than two years before the Tulsa rally.

          Your post was utter bullshit and if you didn't know that when you wrote it, you do now. Ans here is a key point - everybody else reading this thread knows that too. At this point, trying to "look good" by claiming the opposite of the facts will utterly backfire on you - you'll just look like compulsive liar; you will not save face that way. Your "out" to save face is to say either of these two things:

          1. Wow, the article I had read sure was bullshit after all, thanks for the info.

          2. Ah, I hadn't heard anything about Tik Tok until recently, wasn't aware there had been years of investigations and fines paid ever since shortly after the acquisition. I hadn't heard any of that, so I had thought it all started a few months ago when I started seeing it on Slashdot. Thanka for the info.

          Those are replies that you can use to avoid looking like a total liar, a sack of crap.

      • Re: (Score:2, Informative)

        Comment removed based on user account deletion
        • by Khyber ( 864651 )

          You fucking fail at reading as it disproves your claim of "It is quite interesting that this offensive against TikTok started shortly after the Tulsa rally." when quite obviously it happened WELL BEFORE THEN.

          Go the fuck back to school.

    • right. Just that they are. Ban all the CCP malware. Can we go after Zoom, Tencent, and Netease next? Please?

    • Comment removed based on user account deletion
  • Why the hell? (Score:5, Insightful)

    by clonehappy ( 655530 ) on Tuesday August 11, 2020 @07:51PM (#60391873)

    How does Android allow any old app to pick up unique identifiers like MAC addresses?

    That's insane. I'm sure there are ways to do it on iOS too (I doubt the methods are sanctioned if so) but in my admittedly limited knowledge of mobile app development, its seems like something that the app stores would look for and reject - especially on hugely popular apps like this.

    Why would anything at the application layer ever need access to the low-level hardware address of anything?

    • iOS 7 removed the ability for apps to directly pull the Wi-Fi hardware MAC, however an easy search on StackOverflow over the years shows that people have been able to utilize IP and arp table methods for finding it.

      iOS 14 is going to introduced randomized Wi-FI MAC addresses as well, but how that works for apps I don't know yet.

      • Re:Why the hell? (Score:5, Interesting)

        by Solandri ( 704621 ) on Tuesday August 11, 2020 @09:42PM (#60392227)
        Android removed the ability for apps to get the MAC address too. It just seems that older versions were never patched to remove this capability.

        IPv6 is a bigger threat I think. The use of NAT with IPv4 unintentionally had the positive effect of obfuscating individual computers on the Internet. IPv6 has enough addresses that there's no need for anything like NAT, so each address becomes a globally unique identifier [google.com].

        Going forward, I think what's going to happen is that the physical network layer is going to be virtualized before giving non-OS software access to it. So your physical MAC address may be 01:23:45:67:89:0A but only the OS sees this. The virtualization layer presents this as a different number to any apps which are running, and handles the translation between the real and virtual address in packets.

        Randomized MAC addresses are better in that they also prevent identification of the hardware from the local network side. But introduces the possibility of address collisions. The whole point of IPv4, IPv6, and MAC addresses is to prevent collisions - that's why there are so many of them, and we have to come up with band-aid fixes when they run out (like NAT in IPv4). So there are pros and cons to randomizing the MAC address. Back in the late 1990s when SSL was relatively new, my workplace was behind a NAT. I was browsing Amazon and somehow ended up with someone else's login token (I assume someone also at my company who was browsing Amazon at the same time). I could browse their order history, and presumably I could've placed an order using their billing info. That's the risk that's introduced when you switch to an identifier scheme which can potentially result in ID collisions, like randomized MAC addresses. (Of course if the address space is huge, the odds of a collision can be incredibly low. There are something like 280 trillion possible different MAC addresses. The problem is more with your randomization algorithm being only pseudo-random, so collisions end up being more common due to your address generation only being pseudo-random.)
        • Re:Why the hell? (Score:4, Informative)

          by karmatic ( 776420 ) on Wednesday August 12, 2020 @01:27AM (#60392657)

          and handles the translation between the real and virtual address in packets.

          ... which does absolutely nothing when the app can connect to a server, which will tell the app what it's IP address is.

          • But with IPv6 there is no reason for IP addressed to change, ever, regardless of which network the device is on. Connecting to your home WiFi? Got your IP. Connecting to your work WiFi? Now I know where you live and work. Friends? Mistresses? Retail shops? You can now be tracked everywhere you go by anyone, not just your mobile provider.

            IPv6 not only obviates the need for NAT, it removes the capability for it entirely. Welcome to persistent tracking everywhere.

        • Most IPv6 implementations will use your MAC address (via EUI64) to create your IPv6 address, this way it is more determinate. However, just like with IPv4, one host can (and always does) have multiple IPv6 addresses, and thanks to NDP (which replaces ARP) you can discover if a psuedorandom IP address is in use before you begin using it. If it is, just generate a new address and repeat. Some IPv6 implementations already do exactly this (I know that, for example, Windows 10 implements IPv6 IP address randomiz

    • Iâ(TM)ve had many of my favorite lan tools stop working because iOS and iPadOS stopped programs from getting MAC addresses since iOS 11. So I think weâ(TM)re talking 2018 or even 2017 that this exploit no longer worked on the gold releases from Apple.
    • It's no longer available. Certain apps such as WiFi scanners get info about the network interface. That data used to be something like the output of ipconfig, including by chance the mac address.

      The Mac address is no longer included.

  • I'm scouring this link and others like it and I can't find which MAC address they were gathering from Android.

    I'm assuming they're talking about the phone Wi-Fi MAC address, which in the case of Android 10 by default a Wi-Fi connection is set to use a Randomized MAC and not the Phone MAC.

    Not an Android developer here but if you're going to add that feature for Wi-Fi but still allow apps to access the Phone MAC when that's being used, welp, I don't know what we expected to happen.

  • I mean, forget the Communist China angle for a second and just think about major actors in the social media space. Is there a single one you could give even a 5 out of 10 on 'trustworthy'?

    It's fun to rip on them because of their dictator overlords, but a lot of their tactics are straight from Twitter or Facebook.
    • Slashdot is as even-handed as it gets.

      Then again, our culture here values citations and facts (and rewards those). The editors have a very light touch with comments. Generally, if you managed to post it, it stays.

      Exceptions have been made for copyrighted material, but otherwise, Slashdot is still the most active/least censored forum out there. There's no all-powerful moderators with fiefdoms.

    • As usual, USA invents something and China copy it.

  • we constantly update our app to keep up with evolving security challenges

    So..they patch their app frequently to exploit newly discovered security holes when people are patching the old ones elsewhere or are otherwise able to track the intrusion?

  • They’re collecting the IMEI now?

    • System Programmer here. MAC addresses can still be easily harvested because memory can be scoured for evidence, as freed memory is not automatically XOR'ed to zeros (garbage collection harvesting). Even the drivers are crap, as in looking for a developer flag to be toggled. Secondly things like memory cards and unique battery id numbers can be harvested. CPU id's there is endless unique things to grab and steal. In theory these issues could be fixed, but that would hurt those who know the intentional loopho
  • But, the CCP would NEVER violate rules or laws! They only exist to protest "The People"! ROFL

    Seriously though, does it honestly surprise anyone that the CCP ignores rules and agreements, and does whatever the hell they want?

    (Cue the Trump haters that will respond to my post with "Orange man bad!" or "Well, the US does it too!". lol)

  • The identifiers collected by TikTok, called MAC addresses,

    So much for news for nerds :-(

  • "MAC addresses, are most commonly used for advertising purposes"

    No, that is not their most common use, not by a very wide margin. It may be a fairly common auxiliary use, but I guarantee the use of MAC addresses for their intended purpose (i.e., allowing data-link-layer equipment and firmware and such to route packets to the correct physical device on any given physical network segment) is overwhelmingly more common. Most types of computer networks that are currently in widespread use, would not work at a
  • China uses this money to continue to create viruses while monitoring us. china win twice.
  • This is the problem with browser security and Android security. The target audience isn't the user / owner of the device. It's the advertisers. Google could implement secure systems to prevent userspace applications from getting unique IDs, like the MAC, without overt user consent. Instead they document "security" policies that requires bad actors to cooperate. It'll never work.

    In these environments, it's the user that untrusted, not the third party code.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...