Thousands of Android apps bypass Advertising ID to track users

Six years after it was introduced, it looks as if Android’s Advertising ID (AAID) might no longer be the privacy forcefield Google claimed it would be.

New research by AppCensus has found that 18,000 Play Store apps, many with hundreds of millions of installs, appear to be sidestepping the Advertising ID system by quietly collecting additional identifiers from users’ smartphones in ways that can’t be blocked or reset.

Among the best-known offenders were news app Flipboard, Talking Tom, Clean Master AV Cleaner & Booster, Battery Doctor, Cooking Fever, and Cut the Rope Full Free, which were found to be sending data to advertising aggregators.

But what is the Advertising ID and why does it matter?

Few Android users pay much attention to it, but in 2013 the Advertising ID seemed like a great idea.

At that time, apps were allowed to collect a lot of data unique to the user’s device, such as its Android ID, IMEI number, hardware MAC address, and SIM serial card number – any one or combination of which could be used to track and profile users.

Under the Advertising ID system (also introduced by Apple as the Advertising Identifier) app makers would no longer be allowed to collect “persistent” identifiers and would instead capture an anonymous string that could be periodically reset by the user.

Android users can find and reset the Advertising ID through Settings > Google (Services & Preferences) > Ads. 

In theory, performing a reset sends ad profilers back to square one because the ID being tracked before and after the reset will be different.

However, AppCensus’s research shows that a large number of app makers are not only checking the Advertising ID but also persistent identifiers, particularly the Android (device) ID and IMEI number.

Against the rules

The device ID and IMEI, of course, are specific to each device and can’t be changed, so tracking them is a powerful identifier. AppCensus argues that by tracking these identifiers in addition to the Advertising ID, app makers are breaching Google’s Play Store policy. This states:

The advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.) without explicit consent of the user.

The question is what, if anything, the Android Advertising ID is for if apps and their advertising clients are able to subvert its intended purpose without appearing on Google’s radar.

It’s the same device fingerprinting controversy that in 2017 brought Apple and Uber into conflict with one another.

Google’s response is that it has taken action against an unspecified number of the apps on the AppCensus list and that the collection of identifiers was only allowed to stop problems such as fraud detection. It told CNET:

We take these issues very seriously. Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We’re constantly reviewing apps – including those listed in the researcher’s report – and will take action when they do not comply with our policies.

Anyone who wants more background on the data being collected by a specific app can find it via the AppCensus database tool.