TikTok, the wildly popular but highly controversial social media app from Chinese tech company, ByteDance, was reportedly collecting the MAC addresses of millions of Android phones without user consent. According to mobile security experts quoted by The Wall Street Journal, the app was using an “unusual added layer of encryption” for its covert data-collection that the report says violated the Google Play Store’s privacy policies. The app, however, discontinued the practice in November, says the report.

Surreptitious data collection is one of the reasons that TikTok finds itself in trouble in its two largest markets – India and the US. While the former has already banned the app as part of  larger crackdown on Chinese apps, the US president has threatened similar action if ByteDance doesn’t sell-off us operations of the app to a US-based owner by September 15.

Meanwhile, in response to the WSJ’s questions on its data-collection practices, ByteDance said that it is “committed to protecting the privacy and safety of the TikTok community”. “Like our peers, we constantly update our app to keep up with evolving security challenges”, it said. The company didn’t deny the report, but claimed that “the current version of TikTok does not collect MAC addresses”. Google is yet to release an official statement on the matter.

With the threat of an imminent ban in the US, TikTok is in frantic negotiations with Microsoft to sell its US operations. The Redmond giant has already confirmed that it is in talks with the beleaguered Chinese company for a deal that could be in billions of dollars. In fact, Microsoft is also reportedly looking to buy the app’s India operations, although, there’s not a lot of info on that front at this point.