The Android app TikTok secretly stole important ID numbers from millions of users' phones and smuggled them out of Google's watchful eye by wrapping them in an unusual layer of encryption, yesterday (August 11), The Wall Street Journal reported.

The ID number, known as a MAC address, is a unique 12-digit hexadecimal (base 16 for numbers) code. Every device in the world that uses Wi-Fi, Ethernet, or Bluetooth, from supercomputers to smartphones to smartwatches, has at least one MAC address.

MAC addresses cannot be changed and can be used to permanently identify individual devices.

Google blocks Android apps from reading device MAC addresses and prohibits their collection, but TikTok appears to have used a known workaround to collect MAC addresses. It then sent the MAC addresses to the servers of ByteDance, TikTok's parent company, and may have used a special means of encryption to conceal its actions from Google, according to The Journal.

"This is a way to allow them to track users over time without having to opt out," Joel Reardon, a mobile app expert, told The Journal." I don't see any other reason to collect it."

Citing concerns that the Chinese government may be using TikTok to spy on Americans, U.S. President Donald Trump threatened earlier this month to ban TikTok from the U.S. market unless it was sold to an American company by mid-September. Microsoft is reportedly interested in acquiring TikTok from ByteDance.

In a statement to TechCrunch, TikTok said: "The current version of TikTok does not collect MAC addresses. We have never provided TikTok user data to the Chinese government and would not do so even if asked."

The company also stated that it "does not collect MAC addresses.

Google and Apple allow apps to track smartphones using ad IDs, but these ad IDs change periodically and users can refuse to be assigned an ad ID. Users can also reset their ad IDs manually.

Experts interviewed by the Journal suspect that TikTok "bridges" ad IDs using MAC addresses, linking expired IDs to newly issued IDs so that individual devices can be better tracked.

Using a car metaphor, the ad ID is like a car license plate; the MAC address is like a vehicle identification number stamped under the windshield.

According to The Journal's testing, TikTok stopped collecting MAC addresses after an update to its app in November 2019. Google told The Journal that it is investigating the issue.

The Journal, which investigated updates to nine different versions of the TikTok Android app, said MAC address collection had been in place since at least April 2018; it is not clear whether the same thing was happening on the iPhone.

TikTok was not the only app collecting MAC addresses, The Journal said, citing a study by Reardon's company AppSense, which estimated that about 1% of Android apps were doing so in 2018; The Journal added that other than MAC addresses, TikTok did not collect an unusual amount of user data.

However, the fact that TikTok concealed the MAC address data with a layer of encryption is certainly unusual, especially since all data passing between the ByteDance server and TikTok users was already encrypted in the usual way, cybersecurity expert Marc Rogers, a cybersecurity expert, told The Journal.

"I think the reason they do that is to avoid detection by Apple or Google," Rogers told The Journal. 'If Apple or Google saw them sending back these identifiers, they would almost certainly reject the app.'