18,000 Android Apps Found to be Breaking Play Store User Tracking Rules

According to the Appcensus blog, over 18,000 Android apps were found to be breaking a Google Play policy that forbids them from tracking users using indelible hardware-based persistent identifiers. What this means is that even if you reset your identifiers – the thing that third parties, principally ad networks, use to identify you or your device – those third parties would still be able to identify you as if you never did the reset. Let me explain.

First, we need to define what a persistent identifier. Simply put, a persistent identifier is a unique code that can be used to identify you or your device. Think of it as your phone’s social security number. Ad networks, for instance, use persistent identifiers to identify and profile you. So when you’re using apps on your phone, and if those apps want send data to advertising networks, each app will include the persistent identifier unique to your device along with the data they send, which, in turn, allows the network to know that the data coming from all those different apps belong to the same person.

Software vs Hardware

But there are two types of persistent identifiers. Software-based identifiers, which are generated by the software and can be reset, and hardware-based identifiers, which can be your device’s serial number, IMEI, WiFi MAC address, SIM card serial number, and so on. Those hardware-based identifiers are permanently associated with the device and cannot be reset.

Hardware-based identifiers obviously pose a problem for people that want to stop networks from tracking them or wiping their slate clean with the network. They are, after all, an indelible mark on your phone.

So in order to protect their user’s right to privacy, both Google and Apple created a software-based persistent identifier, which they dubbed ‘ad ID’, and gave users the ability to reset it at will. Furthermore, and to make the change effective, both companies forbad developers from sending other identifiers alongside the ad ID without explicit consent from the users. Clearly, sending a hardware-based identifier along with the ad ID would render the privacy-preserving properties of the ad ID completely obsolete.

But it seems that a large number of developers have completely ignored those rules as research from the International Computer Science Institute has found. According to their blog, as many as 18 thousand apps on the Play Store still combine a hardware-based identifier with the ad ID. Those apps included Angry Birds Classic, Temple Run 2, as well as Audiobooks by Audible and Flipboard.

The Institute submitted those findings to Google about 5 months ago, but have yet to hear back from the search giant.