Skip to content
Naked Security Naked Security

Thousands of Android apps bypass Advertising ID to track users

Six years after it was introduced, it looks as if Android’s Advertising ID (AAID) might no longer be the privacy forcefield Google claimed it would be.

Six years after it was introduced, it looks as if Android’s Advertising ID (AAID) might no longer be the privacy forcefield Google claimed it would be.

New research by AppCensus has found that 18,000 Play Store apps, many with hundreds of millions of installs, appear to be sidestepping the Advertising ID system by quietly collecting additional identifiers from users’ smartphones in ways that can’t be blocked or reset.

Among the best-known offenders were news app Flipboard, Talking Tom, Clean Master AV Cleaner & Booster, Battery Doctor, Cooking Fever, and Cut the Rope Full Free, which were found to be sending data to advertising aggregators.

But what is the Advertising ID and why does it matter?

Few Android users pay much attention to it, but in 2013 the Advertising ID seemed like a great idea.

At that time, apps were allowed to collect a lot of data unique to the user’s device, such as its Android ID, IMEI number, hardware MAC address, and SIM serial card number – any one or combination of which could be used to track and profile users.

Under the Advertising ID system (also introduced by Apple as the Advertising Identifier) app makers would no longer be allowed to collect “persistent” identifiers and would instead capture an anonymous string that could be periodically reset by the user.

Android users can find and reset the Advertising ID through Settings > Google (Services & Preferences) > Ads. 

In theory, performing a reset sends ad profilers back to square one because the ID being tracked before and after the reset will be different.

However, AppCensus’s research shows that a large number of app makers are not only checking the Advertising ID but also persistent identifiers, particularly the Android (device) ID and IMEI number.

Against the rules

The device ID and IMEI, of course, are specific to each device and can’t be changed, so tracking them is a powerful identifier. AppCensus argues that by tracking these identifiers in addition to the Advertising ID, app makers are breaching Google’s Play Store policy. This states:

The advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.) without explicit consent of the user.

The question is what, if anything, the Android Advertising ID is for if apps and their advertising clients are able to subvert its intended purpose without appearing on Google’s radar.

It’s the same device fingerprinting controversy that in 2017 brought Apple and Uber into conflict with one another.

Google’s response is that it has taken action against an unspecified number of the apps on the AppCensus list and that the collection of identifiers was only allowed to stop problems such as fraud detection. It told CNET:

We take these issues very seriously. Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We’re constantly reviewing apps – including those listed in the researcher’s report – and will take action when they do not comply with our policies.

Anyone who wants more background on the data being collected by a specific app can find it via the AppCensus database tool.

6 Comments

After reading this article , i realized that your personal information which supposed to be confidential could be spread out to some strangers out there. Scary world. Thanks for the article

Reply

I thought we had a constitutional right to privacy in the US. Anyone checking any data without someone’s permission should be put in prison. Tracking and it taking users information is nothing but stalking and stealing.

Reply

So what is the point of pretending an “advertising ID” would be useful if you can query the IMEI and device ID from any app on the device? That’s globally unique identification, burned into the handset, that can’t be changed… I never thought that playing a free game would set me up to have my device cloned. Wow.

Reply

Anyone else notice that the ability to see/reset the advertising i.d. has silently been removed by Google? The method shown in this article no longer works.

Reply

Any Android latest-version users know where the option has got to? Google’s own advice still largely matches what’s in the article:
https://support.google.com/googleplay/android-developer/answer/6048248

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!