Mobile privacy reasearch group AppCensus has discovered 18,000 Android applications that violate Google Play’s advertising identifier (ad ID) policies and users’ privacy.
The ad ID is a persistent identifier introduced in 2013 on both Android and iOS to make it easier for users to preserve their privacy and both Apple and Google forbid the sharing of a device’s ad ID alongside other identifiers, to prevent user tracking.
Before ad ID, the various persistent identifiers used by mobile applications couldn’t be erased in an easy manner, which made it possible to effortlessly track used across websites. Such identifiers include the Android ID, device’s serial number, IMEI, WiFi MAC address, SIM card serial number, and the like.
While these persistent identifiers can’t be erased (the Android ID requires a factory reset, which involves deleting all data on the device), the ad ID can be reset at will, just as cookies in a browser.
As this was meant to provide users with increased control over their privacy, policies put in place prohibit the sharing of the ad ID alongside other persistent trackers, so as to prevent continuous user tracking if the ad ID has been reset.
“The advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.) without explicit consent of the user,” Google notes in Play’s developer policy center.
What AppCensus discovered, however, was that tens of thousands of applications did not comply with the policy, and that they did transmit the ad ID alongside other persistent identifiers to advertisers.
In September 2018, of the 24,000 apps found to transmit the ad ID, 17,000 would transmit it alongside another persistent identifier, and AppCensus reported them to Google. The issue, however, remains unsolved.
In fact, AppCensus says there are 18,000 applications in violation of Google Play’s ad ID policy at the moment, including some highly popular programs that have hundreds of millions of users in Google Play.
The top 5 most popular such applications are Clean Master – Antivirus, Cleaner & Booster and Subway Surfers, each with over 1 billion downloads, and Flipboard: News For Our Time, My Talking Tom, and Temple Run 2, with over 500 million downloads each. The remaining 15 apps in top 20 most popular have over 100 million downloads each.
“All of the domains receiving the data in the right-most column are either advertising networks, or companies otherwise involved in tracking users’ interactions with ads,” AppCensus says.
The company also notes that Google hasn’t provided them with any information on the issue although the report was submitted 5 months ago and the number of applications violating the ad ID policy has increased in the meantime.
“The problem with all of this is that Google is providing users with privacy controls (see above image), but those privacy controls don’t actually do anything because they only control the ad ID, and we’ve shown that in the vast majority of cases, other persistent identifiers are being collected by apps in addition to the ad ID,” AppCensus notes.